| In traditional public key cryptosystems, user's public key is a random string unrelated to his identity. When Alice wants to send a message to Bob, she must first obtain Bob's authenticated public key. Typical solutions to this problem involve public key directories which are maintained by a trusted third party named Certificate Authority (CA). Problems with the traditional Public key cryptosystems are the high cost of the infrastructure needed to manage and authenticate public keys, and the difficulty in managing multiple communities.Identity-based cryptosystems were introduced by Shamir in 1984. Its main idea is that the public keys of a user can be easily derived from arbitrary strings corresponding to his identity information such as name, telephone number or email address. A Private Key Generator (PKG) computes private keys from a master secret and distributes them to the users participating in the scheme. This eliminates the need for certificates as used in a traditional public key infrastructure. Identity-based systems may be a good alternative for certificate-based systems from the viewpoint of efficiency and convenience. So it is of theoretical and practical significance on study in identity-based cryptosystems.This dissertation investigates the design and security analysis of identity-based schemes, including identity-based signcryption, identity-based multi-signcryption, identity-based anonymous signcrypiton for multiple receivers and the secure key issuing protocols. The contributions of this dissertation can be summarized as following:Bilinear pairing computations are used in almost all of the concrete identity-based schemes. Reduce the number of pairing computations is the key to increase the efficiency of these schemes. Recently, Li et al proposed a new identity-based signature scheme, in which the verification algorithm reduced a pairing computing than Paterson's scheme, and efficiency has been improved significantly. In chapter 3, we analyse this scheme and find out that there are some security weaknesses in the scheme. The scheme can not resist the existence forgery attack if the attacker has some private keys or some valid signatures already.In real world, in order to achieve the complete control of signatures, people want to specify the verifier. Only the designated verifier can verify and accept the signatures. Non-designated verifier can not determine the identity of the signer. In chapter 4, we propose a strong designated verifier proxy signature and an identity-based strong designated verifier proxy signature in the random oracle model respectly. The schemes satisfied all security requirements of proxy signature and strong designated verifier signature. We also propose the first identity-based strong designated verifier signature in the standard model.Two fundamental tools of Public Key Cryptography (PKC) are privacy and authenticity, achieved through encryption and signature respectively. In 1997, Zheng proposed a new cryptographic primitive:signcryption, which can perform digital signature and public key encryption simultaneously at lower computational costs and communication overheads than sign-then-encrypt way to obtain private and authenticated communications. Signcryption is a very important technology in message security and the sender's identity authentication for communication in the open channel. In this paper, we get three results in the research on identity-based signcryption scheme:1. Recently, Yu et al. proposed the first identity-based signcryption scheme in standard model. However, in chapter 3, we show that the scheme still has some security weaknesses. Further, we propose a corrected version of the scheme and formally prove its security under the existing security model for identity-based signcryption.2. Adapted to multi-user settings, in chapter 5, we define the security model of identity-based multi-signcryption scheme and propose the first identity-based multi-signcryption scheme without random oracles based on Waters' identity-based encryption scheme. The scheme is proved secure against adaptive chosen ciphertext attacks and adaptive chosen message attacks under decisional bilinear Diffie-Hellman assumption and computational Diffie-Hellman assumption respectively. Even after being changed to a one-signcrypter scheme, the new one also has higher efficiency compared with the existed one-signcrypter scheme.3. Anonymous signcryption is a novel cryptographic primitive which provides anonymity of the sender along with the advantage of traditional signcryption scheme. In chapter 5, we define the fully secure model of identity-based anonymous signcryption and propose the first concrete scheme in the standard model. The proposed scheme satisfies the semantic security, unforgeability and signcrypter identity's ambiguity. We also give the formal security proof on its semantic security under the hardness of Decisional Bilinear Diffie-Hellman problem and its unforgeability under the Computational Diffie-Hellman assumption.In some network applications, people have to distribute a same message to all n group members. A simple approach for achieving this goal is that the sender encrypts the message for each member of the group respectively. Obviously, the cost of using the approach in large group is very high. Broadcast encryption, which is first proposed by Fiat and Naor in 1993, considers this problem of broadcasting digital contents to a large set of authorized users. Such applications include paid-TV systems, copyrighted CD/DVD distributions, and fee-based online databases. The broadcaster encrypts the message and only the authorized users have the decryption keys to recover the data. In this type of scheme the sender encrypts a message for some subset of receivers and sends the ciphertext by broadcast over Internet. Any receiver in the designated subset can use his private key to decrypt the ciphertext. However, nobody outside the subset can get any information about the contents of the broadcast. Broadcast encryption has lots of advantages. However, these advantages make the broadcast encryption scheme much more complicated. It is very difficult to make the schemes satisfy so many advantages while keep the ciphertext and keys constant size simultaneity. Another problem is that the broadcast encryption schemes must fix a max receiver's set in the system setup phase and the broadcaster should know everyone's identity in the receiving group clearly. But in many applications, the member is unknown to the message sender. In chapter 6, we formalize the notion of identity-based broadcast group-oriented encryption and signcryption scheme and propose a concrete construction based on Gentry's IBE scheme. In our new scheme, the broadcaster could encrypt the message using the designated receiving group's identity and any receiver in the designated group can independently decrypt the ciphertexts. The newly proposed scheme has the following merits:Every member of the receiving group needs to keep only one private key. Both ciphertexts and system parameters are of constant size. A sender can send a secure message just by using the receive group's identity information, even before the receiver in the designated group obtains his private key from a PKGIn identity-based cryptosystem, user's private key is computed by PKG from a master secret. Therefore, the PKG can decrypt any ciphertext or forge signature on any message. This inherent problem of identity-based cryptosystems is named as "key escrow", i.e. PKG knows the user's private key, resulting in no user privacy and authenticity. So PKG must be trusted as a trusted third party. But in the real world, the trusted third party is not easily found. Another criticism is that identity-based cryptosystems require a secure channel for private key delivering between the users and the PKG Due to these inherent problems, identity-based cryptosystems are considered to be suitable only for closed user networks with lower security requirements. Therefore, eliminating these problems in identity-based cryptosystems is essential to make it more applicable in the real world. In chapter 7, we show that the existed schemes solving key escrow still have some security weaknesses under the PKG active attacks. Furthermore, we present a new key issuing mechanism which is undeniable and secure against PKG's active attacks.
|
PDF Full Text Request