Secure Certificateless Threshold Cryptosystems In The Standard Model

In AsiaCrypt 2003, a new type of public key cryptosystem called "Certificateless Public Key Cryptography"(CL-PKC) [1] was introduced by Al-Riyami and Paterson. In CL-PKC, the Key Generation Center can not get access to any user's private key. It solves the inherent key escrow problem in identity-based PKC while keeps its certificate free property. Due to these two advantages, CL-PKC receives a lot of attention from the research community and a series of achievements [2-18] have been available. The securities of most of the existing certificateless cryptosystems have been proved in the random oracle models. However, it is known that in random oracles some functions are idealized as real random functions. This assumption can not be satisfied in practice. So certificateless cryptosystems proven secure in random oracle models may exist security risks in real applications. Therefore, certificateless cryptosystems which can be proven secure in the standard model are preferable.Threshold cryptosystems are very useful not only in decentralizing the power to decrypt or sign, but also in enchancing the availablity of cryptosystems and cutting down the possibility of single point of failure. Integrating certificateless public key cryptography with threshold cryptosystems will result in certificateless threshold cryptosystems which enjoy the advantages of both CL-PKC and threshold cryptosystems.In this thesis, we investigate certificateless public key cryptosystems secure in the standard model. Especially, we focus on the study of certificateless threshold decryption or signature schemes which can be proven secure without using random oracles.The contribution is divided into two parts. The first part is cryptanalysis and attacks against some existing certificateless threshold cryptosystems. The second one is a new construction of certificateless decryption schemes secure in the standard model.Firstly, we look into the security of three existing certificateless threshold cryptosystems which include two decryption schemes and a signature scheme. The two certificateless threshold decryption (CLTH-DEC) schemes were proposed by Yang et al. and Zhang et al. respectively in 2009. Both schemes were claimed chosen ciphertext attack secure (IND-Th-CCA) in the standard model, assuming some underlying problems closely related to the Bilinear Diffie-Hellman Problem are computationally hard. Our cryptanalysis of these schemes shows that they are actually insecure. The CLTH-DEC scheme of Yang et al. is vulnerable to public key replacement attacks. By replacing the public key of a receiver, the attacker can do decryption and get the plaintext without knowing the private key of that receiver. Zhang et al.'s CLTH-DEC scheme is subject to both malicious KGC attacks and public key replacement attacks. A malicious KGC can decrypt a ciphertext designated to any user without possession of that user's secret value. The certificateless threshold signature (CLTH-SIG) scheme we analyzed was presented by Zhong et al. in 2010. We show it is universally forgeable under public key replacement attacks. The concrete attack methods are depicted in detail in chapter 4.Secondly, we discuss the construction of CLTH-DEC scheme which can be proven secure without using random oracles. We present a new construction of CLTH-DEC schemes. The new construction makes use of bilinear pairing. The security of the constructed scheme is based on the truncated q-ABDHE assumption. We prove the new scheme is IND-CCA secure against chosen ciphertext attacks in the standard model. We also briefly analyze the performance of the new scheme.