The Analysis And Design Of Certificateless Cryptographic Schemes And Proxy Cryptographic Schemes

Certificateless public key cryptography(CL-PKC)is intermediate between traditional PKI-based PKC and ID-PKC.In contrast to traditional public key cryptographic systems, CL-PKC does not require the certificates to guarantee the authenticity of public keys which avoids some of the related hard problem encountered in traditional public key cryptography. It does rely on the use of a trusted third party(TTP)who is in possession of a master key. In these respects,CL-PKC is similar to identity-based public key cryptography(ID-PKC). On the other hand,CL-PKC does not suffer from the key escrow problem that seems to be inherent in ID-PKC,because the private key of the user is combined with two parties:one is the partial private key derived from the information of user's identity by the KGC,another is the secret key chosen by the user,and the KGC cannot know it.Since Al-Riyami and Paterson introduced the notion in 2003,certificateless cryptography has been extensively developed.Many definitions have been presented,and Dent et al.gave a survey of the existing definitions.Al-Riyami and Paterson gave the first definition of certificateless encryption scheme which is composed of seven algorithms:Set-Up, Extract-Partial-Private-Key,Set-Secret-Key,Set-Private-Key,Set-Public-Key,Encrypt,Decrypt; Later,there was a reduced model including five algorithms equivalent to the formulation given by Al-Riyami and Paterson:the new Set-User-Keys algorithm is defined to be the algorithm that executes the original Set-Secret-Value algorithm and Set-Public-Key algorithm, and the Set-Private-Key algorithm is omitted.In order to avoid weil pairing,Baek, Safavi-Naini and Susilo also proposed a significant departure from the Al-Riyami and Paterson formulation of a certificateless encryption scheme.In their model,they added the partial private key to the input of the Set-Public-Key algorithm.Thus,a public key can only be computed after a partial private key has been obtained.Dent explained that this definition can resist DoD attack.But we find the adversary still can choose arbitrary public key that any third party cannot distinguish with the legal public key chose by the user,so the model still cannot capture DoD attack.The obvious drawback of this formulation is that it does not allow messages to be encrypted "into the future".We can see there are two common drawbacks in all the above models:First,the channel between the KGC and the user must be confidential and authentical,because once the eavesdropper gets the message communicated over the channel,he will run any cryptographic operation impersonating the user by replacing the public key.Second,the above models cannot offer the same secure level as traditional PKI-based cryptographic scheme.In order to make up the two drawbacks,a more practical model is presented,and the model also includes seven algorithms:Set-Up,Set-Secret-Key,Set-Public-Key,Extract-Partial-Private-Key, Set-Private-Key,Encrypt,Decrypt.Furthermore,the user's public key is regarded as one of the input of Extract-Partial-Private-Key algorithm.Thus,even if the eavesdropper gets the partial private key,he cannot run any cryptographic operation without knowing the secret key corresponding to the partial private key.On the other hand,if the KGC impersonates the user by replacing the public key he chooses,the user can offer his partial private key to delate the KGC.It is to say,the more practical model can make scheme reach the trust level 3 and the channel between the user and the KGC needn't be secure.In certificateless cryptographic schemes,there are two Type attackers that are generally considered.One is TypeⅠattacker A_Ⅰrepresenting a normal third party attacker. In general model,A_Ⅰcannot get the master key,but he can request the following oracles: Partial-Private-Key-Extract-Oracle,Private-Key-Oracle,Public-Key-Oracle,Public-Key-Replace-Oracle, Decryption-Oracle.In the strong attack model of Al-Riyami and Paterson A_Ⅰis given the power as possible as can which in fact doesn't exist in practice.So we adopt the more realistic attack model in our security proof.The other is TypeⅡattacker A_Ⅱrepresenting the malicious KGC.A_Ⅱcan get the master key,furthermore,he can request the following oracles:Private-Key-Oracle,Public-Key-Oracle,Decryption-Oracle.In many attack models,they all assume the malicious KGC starts launching attack only after it has generated a master public/secret key pair honestly.But for TypeⅡattacker,we think it is reasonable that the KGC is malicious from the beginning of the setup of the system, that is,the malicious KGC can choose the especial public parameters in order to impersonate the user.Man Ho Au et al.also proposed the model to remove the assumption and showed that the CL-ENC scheme and CL-SIG scheme proposed by Al-Riyami and Paterson were vulnerable to malicious-but-passive KGC attack.As one of our contributions,we first analyze the existing two certificateless schemes in chapter 3:one is a certificateless encryption scheme,and we show that it is insecure against key replacement attack.It is to say,any outside attacker can choose efficient public key and decrypt any ciphertext according to the public key.Another is a certificateless signature scheme,and we show that the scheme is insecure against malicious KGC attack.Following, we present an efficient certificateless encryption scheme,and our scheme has the following good properties:●Our certificateless encryption scheme is proved secure against the TypeⅠattacker in the standard model,if the Decisional Truncated q - ABDHE assumption holds for (G,GT,e).●Our certificateless encryption scheme is secure against a malicious KGC attacker in the standard model,assuming the Decision Bilinear Diffie-Hellman problem is hard.●Our certificateless encryption scheme can reach the Girault's trust level 3.●In our certificateless encryption scheme,the channel between the KGC and the user needn't be secure.●Compared with the previous certificateless encryption schemes secure in standard model, our encryption scheme has shorter public keys.Finally,we present a certificateless signature scheme secure against both malicious KGC attack and DOD attack without random oracle,which is the first scheme satisfying theses properties in the literature"●The certificateless signature scheme is secure against the malicious KGC attack,assuming the BB~+ signature is existentially unforgeable.●The certificateless signature scheme is secure against TypeⅠattacker(the outside forger) in the standard model under the computational q-BSDH assumption and extended Diffie-Hellman (EDH)assumption.Based on the certificateless signature scheme,we also present a constant-size group signature scheme against malicious group manager.That is to say,if the group manager forges any user's signature,he will be delated by the user.The group signature is also secure under adaptively chosen message attack without random oracle,and it satisfies unlinkable, CCA Anonymity and Strong Exculpability.The need of delegation about cryptographic operation leads to the introduction of proxy cryptography.In 1996,Mambo et al.first introduced the notion of proxy signature.After that,proxy signature schemes have been made a rapid development due to the extensive application in practice.There are different types proxy signature schemes applied in different sceneries:Mambo et al.first divided the proxy signature into three levels:the full delegation,the partial delegation and the delegation by warrant.The partial delegation,and the delegation by warrant,are more secure than the full delegation.The advantage of the partial delegation is the processing speed.The proxy signature for partial delegation has a computational advantage over the proxy signature by a warrant.Kim,Park and Won first introduced the notion of the partial delegation by the warrant performed by inserting the warrant m_w into the proxy signature which combines the benefit of the partial delegation and the delegation by warrant.So this delegation has fast processing speed and is appropriate for the restricting documents to be signed.Furthermore,since warrant in schemes of partial delegation with warrant could specify its valid period,their scheme didn't need an additional proxy revocation protocol;There are also other types proxy signatures:depending on whether the original signer can generate the same proxy signatures as the proxy signers do,there are two kinds of proxy signature schemes,namely,the proxy-unprotected scheme and the proxy-protected one;Depending on whether the verifier can identify the identity of the signer,the proxy signature also can be divided into anonymous proxy signature and the overt proxy signature.For the security,Lee et al.drew a conclusion in their paper that a secure proxy signature scheme must satisfy the following properties:strong unforgeability,verifiability,strong identifiability,strong undeniability,prevention of misuse.Of course,according to the type of the proxy signature,the properties will be changed adaptively,for example,for the proxy-protected proxy signature with anonymous property,we can modify the above strong identifiability into the following property of proxy privacy,and we will add the property of anonymity revocation.Before Boldyreva,Palacio and Warinschi gave the precise security notion of proxy signature,Many proxy signature schemes were presented,but these schemes had not formal security guarantee,and most of the schemes except LKP scheme were broken.Boldyreva, Palacio and Warinschi gave a precise standard to rule the security of the proxy signature scheme and presented the first concrete proxy signature scheme proved secure.We conclude the existing proxy signature schemes in chapter 4:first we conclude the proxy-protected proxy signature schemes:in order to obtain the proxy-protected property, there are mainly two methods:the mostly applied method is that the original signer signs the warrant by using his private key and sends it to the proxy signer,and the proxy signer generates the proxy signature key by combining the signature and his private key,so the original signer cannot generate valid proxy signature impersonating the proxy signer without knowing the private key of the proxy signer;Another idea is that the proxy signer generates the proxy private key by running the 3-pass blind signature protocol with the original signer, and the original signer cannot know the proxy private key.Then this method obtains the proxy-protected property in a way,but it cannot resist the original signer forgery attack.The scheme called PH scheme adopted the idea.Second,we analyze anonymous proxy signature:the anonymous proxy signature can protect the privacy of both the original signer and the proxy signer,because the verifier cannot distinguish the real signer from the proxy signature.But in order to limit the power of the proxy signer,the real signer generating the proxy signature can be revoked in dispute. Shum and Wei proposed an enhancement to Lee et al.'s proxy signature such that the proxy signer's identity is hidden behind an alias.In their scheme,there are four parties:a trusted Alias Issuing Authority T,the original signer O,the proxy signer P,and the signature verifier V.In 1997,Mambo et al.introduced the proxy cryptosystem,In comparison to proxy signature, only few research efforts have been put on delegation of decryption progresses.In the scheme of Mambo et al.,only after the ciphertext being transmitted into another ciphertext, the proxy decryptor can recover the plaintext.But this type of proxy cryptosystem still cannot release the original decryptor.In 1998,Blaze,Bleumer,and Strauss[64]proposed the notion of atomic proxy cryptography.In their method,the original decryptor and delegated decryptor together publish a transformation key by which a semi-trusted intermediary transforms ciphertext encrypted for the original decryptor directly into ciphertext that can be decrypted by the delegated decryptor.In order to completely relax the burden of transformation, there were series ciphertext transformation-free proxy cryptosystems,in which the proxy decryptor can do the decryption operation without ciphertexts transformation.As the second result of our thesis,in chapter 5,we first give a generic model for proxy-protected proxy cryptography with anonymous property.In our model,the third party cannot distinguish who has run the cryptographic operation which protects the privacy of both the delegater and the delegatee,furthermore,any malicious party will be revealed.Thus,the generic model can make the scheme obtain proxy-protected and anonymous simultaneously. Because we can't always trust a person,the revocation of delegation is important in proxy cryptography,especially in proxy decryption.There is not a more efficient method to solve the problem,our model is implicit delegation,it is to say,the encryptor(verifier)needn't checks the validity of delegation,because,if the cryptographic operations power of a delegatee is revoked,he cannot run cryptographic operations correctly.Furthermore,in our model,the channel between the delegatee and the delegater needn't be secure and authenticated.Second,we give a precise attack model,in which thereare mainly two types adversaries considered in our model:one is the attack of the delegater,another is the one of the outside adversary.For the first attack,the attacker only need request the decryption(signature) oracle,because he knows the private key of the delegater and can generate the partial proxy private key himself.The second attacker can request two oracles:partial proxy private key oracle and decryption(signature)oracle.This attack model offers the security guarantee in order to design provable secure proxy-protected anonymous proxy signature.Finally,we give two concrete schemes as examples:one is the proxy decryption scheme IND-CCA secure against both TypeⅠadversary and TypeⅡadversary assuming the Decision Bilinear Diffi-Hellman problem is hard in the standard model.Another is the proxy signature scheme,and using forking lemma,we can show that the proxy-protected proxy signature scheme is existential unforgeable against both TypeⅠadversary and TypeⅡadversary assuming the computational Diffi-Hellman(CDH)problem is hard in Gap Diffi-Hellman group.