当前位置:文档之家 › Chosen-Ciphertext Secure Identity-Based Encryption from Computational Bilinear Diffie-Hellman

Chosen-Ciphertext Secure Identity-Based Encryption from Computational Bilinear Diffie-Hellman

  • 格式:pdf
  • 大小:188.19 KB
  • 文档页数:10

下载文档原格式

  / 10

合集下载

(完整版)密码编码学与网络安全第四版第二章答案翻译

(完整版)密码编码学与网络安全第四版第二章答案翻译

第二章2.1什么是对称密码的本质成分?Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.明文加密算法密钥密文解密算法2.2 密码算法中两个基本函数式什么?Permutation and substitution.代换和置换P202.3用密码进行通信的两个人需要多少密钥?对称密码只需要一把,非对称密码要两把P202.4 分组密码和流密码的区别是什么?A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.分组密码每次输入的一组元素,相应地输出一组元素。

流密码则是连续地处理输入元素,每次输出一个元素。

P202.5攻击密码的两种一般方法是什么?Cryptanalysis and brute force.密码分析和暴力破解2.6列出并简要定力基于攻击者所知道信息的密码分析攻击类型。

Ciphertext only. One possible attack under these circumstances is the brute-force approach of trying all possible keys. If the key space is very large, this becomes impractical. Thus, the opponent must rely on an analysis of the ciphertext itself, generally applying various statistical tests to it.Known plaintext.The analyst may be able to capture one or more plaintext messages as well as their encryptions. With this knowledge, the analyst may be able to deduce the key on the basis of the way in which the known plaintext is transformed.Chosen plaintext. If the analyst is able to choose the messages to encrypt, the analyst may deliberately pick patterns that can be expected to reveal the structure of the key.惟密文已知明文选择明文2.7无条件安全密码和计算上安全密码的区别是什么?An encryption scheme is unconditionally secure if the ciphertext generated by the scheme does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available. An encryption scheme is said to be computationally secure if: (1) the cost of breaking the cipher exceeds the value of the encrypted information, and (2) the time required to break the cipher exceeds the useful lifetime of the information.书本P212.8简要定义Caesar密码The Caesar cipher involves replacing each letter of the alphabet with the letter standing k places further down the alphabet, for k in the range 1 through 25.书本P222.9简要定义单表代换密码A monoalphabetic substitution cipher maps a plaintext alphabet to a ciphertext alphabet, so that each letter of the plaintext alphabet maps to a single unique letter of the ciphertext alphabet.书本P232.10简要定义Playfair密码The Playfair algorithm is based on the use of a 5 5 matrix of letters constructed using a keyword. Plaintext is encrypted two letters at a time using this matrix.书本P262.11单表代换密码和夺标代换密码的区别是什么?A polyalphabetic substitution cipher uses a separate monoalphabetic substitution cipher for each successive letter of plaintext, depending on a key.书本P302.12一次一密的两个问题是什么?1. There is the practical problem of making large quantities of random keys. Any heavily usedsystem might require millions of random characters on a regular basis. Supplying truly random characters in this volume is a significant task.2. Even more daunting is the problem of key distribution and protection. For every message to be sent, a key of equal length is needed by both sender and receiver. Thus, a mammoth key distribution problem exists.书本P332.13什么是置换密码?A transposition cipher involves a permutation of the plaintext letters. 书本P332.14什么是隐写术?Steganography involves concealing the existence of a message.书本P362.7.3习题 2.1a.对b 的取值是否有限制?解释原因。

identity-based encryption from the weil pairing

identity-based encryption from the weil pairing

Appears in SIAM J.of Computing,Vol.32,No.3,pp.586-615,2003.An extended abstract of this paper appears in the Proceedings of Crypto2001,volume2139of Lecture Notes in Computer Science,pages 213–229,Springer-Verlag,2001.Identity-Based Encryption from the Weil PairingDan Boneh∗Matthew Franklin†dabo@ franklin@AbstractWe propose a fully functional identity-based encryption scheme(IBE).The scheme has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie-Hellman problem.Our system is based on bilinear maps between groups.The Weil pairing onelliptic curves is an example of such a map.We give precise definitions for secure identity basedencryption schemes and give several applications for such systems.1IntroductionIn1984Shamir[41]asked for a public key encryption scheme in which the public key can be an arbitrary string.In such a scheme there are four algorithms:(1)setup generates global system parameters and a master-key,(2)extract uses the master-key to generate the private key corresponding to an arbitrary public key string ID∈{0,1}∗,(3)encrypt encrypts messages using the public key ID,and(4)decrypt decrypts messages using the corresponding private key.Shamir’s original motivation for identity-based encryption was to simplify certificate management in e-mail systems.When Alice sends mail to Bob at bob@ she simply encrypts her message using the public key string“bob@”.There is no need for Alice to obtain Bob’s public key certificate.When Bob receives the encrypted mail he contacts a third party,which we call the Private Key Generator(PKG).Bob authenticates himself to the PKG in the same way he would authenticate himself to a CA and obtains his private key from the PKG.Bob can then read his e-mail.Note that unlike the existing secure e-mail infrastructure,Alice can send encrypted mail to Bob even if Bob has not yet setup his public key certificate.Also note that key escrow is inherent in identity-based e-mail systems:the PKG knows Bob’s private key.We discuss key revocation,as well as several new applications for IBE schemes in the next section.Since the problem was posed in1984there have been several proposals for IBE schemes[11,45, 44,31,25](see also[33,p.561]).However,none of these are fully satisfactory.Some solutions require that users not collude.Other solutions require the PKG to spend a long time for each private key generation request.Some solutions require tamper resistant hardware.It is fair to say that until the results in[5]constructing a usable IBE system was an open problem.Interestingly,the related notions of identity-based signature and authentication schemes,also introduced by Shamir[41],do have satisfactory solutions[15,14].In this paper we propose a fully functional identity-based encryption scheme.The performance of our system is comparable to the performance of ElGamal encryption in F∗p.The security of our system is based on a natural analogue of the computational Diffie-Hellman assumption.Based on ∗Supported by DARPA contract F30602-99-1-0530,NSF,and the Packard Foundation.†Supported by an NSF Career Award and the Packard Foundation.this assumption we show that the new system has chosen ciphertext security in the random oracle ing standard techniques from threshold cryptography[20,22]the PKG in our scheme can be distributed so that the master-key is never available in a single location.Unlike common threshold systems,we show that robustness for our distributed PKG is free.Our IBE system can be built from any bilinear map e:G1×G1→G2between two groups G1,G2as long as a variant of the Computational Diffie-Hellman problem in G1is hard.We use the Weil pairing on elliptic curves as an example of such a map.Until recently the Weil pairing has mostly been used for attacking elliptic curve systems[32,17].Joux[26]recently showed that the Weil pairing can be used for“good”by using it for a protocol for three party one round Diffie-Hellman key exchange.Sakai et al.[40]used the pairing for key exchange and Verheul[46]used it to construct an ElGamal encryption scheme where each public key has two corresponding private keys.In addition to our identity-based encryption scheme,we show how to construct an ElGamal encryption scheme with“built-in”key escrow,i.e.,where one global escrow key can decrypt ciphertexts encrypted under any public key.To argue about the security of our IBE system we define chosen ciphertext security for identity-based encryption.Our model gives the adversary more power than the standard model for chosen ciphertext security[37,2].First,we allow the attacker to attack an arbitrary public key ID of her choice.Second,while mounting a chosen ciphertext attack on ID we allow the attacker to obtain from the PKG the private key for any public key of her choice,other than the private key for ID.This models an attacker who obtains a number of private keys corresponding to some identities of her choice and then tries to attack some other public key ID of her choice.Even with the help of such queries the attacker should have negligible advantage in defeating the semantic security of the system.The rest of the paper is organized as follows.Several applications of identity-based encryption are discussed in Section1.1.We then give precise definitions and security models in Section2.We describe bilinear maps with certain properties in Section3.Our identity-based encryption scheme is presented in Section4using general bilinear maps.Then a concrete identity based system from the Weil pairing is given in Section5.Some extensions and variations(efficiency improvements,distribution of the master-key)are considered in Section6.Our construction for ElGamal encryption with a global escrow key is described in Section7.Section8gives conclusions and some open problems.The Appendix containsa more detailed discussion of the Weil pairing.1.1Applications for Identity-Based EncryptionThe original motivation for identity-based encryption is to help the deployment of a public key infras-tructure.In this section,we show several other unrelated applications.1.1.1Revocation of Public KeysPublic key certificates contain a preset expiration date.In an IBE system key expiration can be done by having Alice encrypt e-mail sent to Bob using the public key:“bob@ current-year”. In doing so Bob can use his private key during the current year only.Once a year Bob needs to obtain a new private key from the PKG.Hence,we get the effect of annual private key expiration.Note that unlike the existing PKI,Alice does not need to obtain a new certificate from Bob every time Bob refreshes his private key.One could potentially make this approach more granular by encrypting e-mail for Bob using “bob@ current-date”.This forces Bob to obtain a new private key every day.This might be possible in a corporate PKI where the PKG is maintained by the corporation.With this approach key revocation is very simple:when Bob leaves the company and his key needs to be revoked, the corporate PKG is instructed to stop issuing private keys for Bob’s e-mail address.As a result,Bob can no longer read his email.The interesting property is that Alice does not need to communicate with any third party certificate directory to obtain Bob’s daily public key.Hence,identity based encryption is a very efficient mechanism for implementing ephemeral public keys.Also note that this approach enables Alice to send messages into the future:Bob will only be able to decrypt the e-mail on the date specified by Alice(see[38,12]for methods of sending messages into the future using a stronger security model).Managing user credentials.A simple extension to the discussion above enables us to manage user credentials using the IBE system.Suppose Alice encrypts mail to Bob using the public key:“bob@ current-year clearance=secret”.Then Bob will only be able to read the email if on the specified date he has secret clearance.Consequently,it is easy to grant and revoke user credentials using the PKG.1.1.2Delegation of Decryption KeysAnother application for IBE systems is delegation of decryption capabilities.We give two example applications.In both applications the user Bob plays the role of the PKG.Bob runs the setup algorithm to generate his own IBE system parameters params and his own master-key.Here we view params as Bob’s public key.Bob obtains a certificate from a CA for his public key params.When Alice wishes to send mail to Bob shefirst obtains Bob’s public key params from Bob’s public key certificate.Note that Bob is the only one who knows his master-key and hence there is no key-escrow with this setup.1.Delegation to a laptop.Suppose Alice encrypts mail to Bob using the current date as the IBE encryption key(she uses Bob’s params as the IBE system parameters).Since Bob has the master-key he can extract the private key corresponding to this IBE encryption key and then decrypt the message.Now,suppose Bob goes on a trip for seven days.Normally,Bob would put his private key on his laptop.If the laptop is stolen the private key is compromised.When using the IBE system Bob could simply install on his laptop the seven private keys corresponding to the seven days of the trip.If the laptop is stolen,only the private keys for those seven days are compromised.The master-key is unharmed.This is analogous to the delegation scenario for signature schemes considered by Goldreich et al.[23].2.Delegation of duties.Suppose Alice encrypts mail to Bob using the subject line as the IBE encryption key.Bob can decrypt mail using his master-key.Now,suppose Bob has several assistants each responsible for a different task(e.g.one is‘purchasing’,another is‘human-resources’,etc.).Bob gives one private key to each of his assistants corresponding to the assistant’s responsibility.Each assistant can then decrypt messages whose subject line falls within its responsibilities,but it cannot decrypt messages intended for other assistants.Note that Alice only obtains a single public key from Bob(params),and she uses that public key to send mail with any subject line of her choice.The mail can only be read by the assistant responsible for that subject.More generally,IBE can simplify security systems that manage a large number of public keys.Rather than storing a big database of public keys the system can either derive these public keys from usernames, or simply use the integers1,...,n as distinct public keys.2DefinitionsIdentity-Based Encryption.An identity-based encryption scheme E is specified by four random-ized algorithms:Setup,Extract,Encrypt,Decrypt:Setup:takes a security parameter k and returns params(system parameters)and master-key.The system parameters include a description of afinite message space M,and a description of afinite ciphertext space C.Intuitively,the system parameters will be publicly known,while the master-key will be known only to the“Private Key Generator”(PKG).Extract:takes as input params,master-key,and an arbitrary ID∈{0,1}∗,and returns a private key d.Here ID is an arbitrary string that will be used as a public key,and d is the corresponding private decryption key.The Extract algorithm extracts a private key from the given public key.Encrypt:takes as input params,ID,and M∈M.It returns a ciphertext C∈C.Decrypt:takes as input params,C∈C,and a private key d.It return M∈M.These algorithms must satisfy the standard consistency constraint,namely when d is the private key generated by algorithm Extract when it is given ID as the public key,then∀M∈M:Decrypt(params,C,d)=M where C=Encrypt(params,ID,M)Chosen ciphertext security.Chosen ciphertext security(IND-CCA)is the standard acceptable notion of security for a public key encryption scheme[37,2,13].Hence,it is natural to require that an identity-based encryption scheme also satisfy this strong notion of security.However,the definition of chosen ciphertext security must be strengthened a bit.The reason is that when an adversary attacks a public key ID in an identity-based system,the adversary might already possess the private keys of users ID1,...,ID n of her choice.The system should remain secure under such an attack.Hence,the definition of chosen ciphertext security must allow the adversary to obtain the private key associated with any identity ID i of her choice(other than the public key ID being attacked).We refer to such queries as private key extraction queries.Another difference is that the adversary is challenged on a public key ID of her choice(as opposed to a random public key).We say that an identity-based encryption scheme E is semantically secure against an adaptive chosen ciphertext attack(IND-ID-CCA)if no polynomially bounded adversary A has a non-negligible advantage against the Challenger in the following IND-ID-CCA game:Setup:The challenger takes a security parameter k and runs the Setup algorithm.It givesthe adversary the resulting system parameters params.It keeps the master-key to itself.Phase1:The adversary issues queries q1,...,q m where query q i is one of:–Extraction query ID i .The challenger responds by running algorithm Extract to gen-erate the private key d i corresponding to the public key ID i .It sends d i to theadversary.–Decryption query ID i,C i .The challenger responds by running algorithm Extract to generate the private key d i corresponding to ID i.It then runs algorithm Decrypt todecrypt the ciphertext C i using the private key d i.It sends the resulting plaintext tothe adversary.These queries may be asked adaptively,that is,each query q i may depend on the repliesto q1,...,q i−1.Challenge:Once the adversary decides that Phase1is over it outputs two equal lengthplaintexts M0,M1∈M and an identity ID on which it wishes to be challenged.The onlyconstraint is that ID did not appear in any private key extraction query in Phase1.The challenger picks a random bit b∈{0,1}and sets C=Encrypt(params,ID,M b).Itsends C as the challenge to the adversary.Phase2:The adversary issues more queries q m+1,...,q n where query q i is one of:–Extraction query ID i where ID i=ID.Challenger responds as in Phase1.–Decryption query ID i,C i = ID,C .Challenger responds as in Phase1.These queries may be asked adaptively as in Phase1.Guess:Finally,the adversary outputs a guess b ∈{0,1}and wins the game if b=b .We refer to such an adversary A as an IND-ID-CCA adversary.We define adversary A’sadvantage in attacking the scheme E as the following function of the security parameter k (k is given as input to the challenger):Adv E,A(k)= Pr[b=b ]−12 .The probability is over the random bits used by the challenger and the adversary.Using the IND-ID-CCA game we can define chosen ciphertext security for IBE schemes.As usual,we say that a function g:R→R is negligible if for any d>0we have|g(k)|<1/k d for sufficiently large k. Definition2.1.We say that the IBE system E is semantically secure against an adaptive chosen ci-phertext attack if for any polynomial time IND-ID-CCA adversary A the function Adv E,A(k)is negligible. As shorthand,we say that E is IND-ID-CCA secure.Note that the standard definition of chosen ciphertext security(IND-CCA)[37,2]is the same as above except that there are no private key extraction queries and the adversary is challenged on a random public key(rather than a public key of her choice).Private key extraction queries are related to the definition of chosen ciphertext security in the multiuser settings[7].After all,our definition involves multiple public keys belonging to multiple users.In[7]the authors show that that multiuser IND-CCA is reducible to single user IND-CCA using a standard hybrid argument.This does not hold in the identity-based settings,IND-ID-CCA,since the adversary gets to choose which public keys to corrupt during the attack.To emphasize the importance of private key extraction queries we note that our IBE system can be easily modified(by removing one of the hash functions)into a system which has chosen ciphertext security when private extraction queries are disallowed.However,the scheme is completely insecure when extraction queries are allowed.Semantically secure identity based encryption.The proof of security for our IBE system makes use of a weaker notion of security known as semantic security(also known as semantic security against a chosen plaintext attack)[24,2].Semantic security is similar to chosen ciphertext security(IND-ID-CCA)except that the adversary is more limited;it cannot issue decryption queries while attacking the challenge public key.For a standard public key system(not an identity based system)semantic security is defined using the following game:(1)the adversary is given a random public key generated by the challenger,(2)the adversary outputs two equal length messages M0and M1and receives the encryption of M b from the challenger where b is chosen at random in{0,1},(3)the adversary outputs b and wins the game if b=b .The public key system is said to be semantically secure if no polynomial time adversary can win the game with a non-negligible advantage.As shorthand we say that a semantically secure public key system is IND-CPA secure.Semantic security captures our intuition that given a ciphertext the adversary learns nothing about the corresponding plaintext.To define semantic security for identity based systems(denoted IND-ID-CPA)we strengthen the standard definition by allowing the adversary to issue chosen private key extraction queries.Similarly, the adversary is challenged on a public key ID of her choice.We define semantic security for identity based encryption schemes using an IND-ID-CPA game.The game is identical to the IND-ID-CCA game defined above except that the adversary cannot make any decryption queries.The adversary can only make private key extraction queries.We say that an identity-based encryption scheme E is semantically secure(IND-ID-CPA)if no polynomially bounded adversary A has a non-negligible advantage against the Challenger in the following IND-ID-CPA game:Setup:The challenger takes a security parameter k and runs the Setup algorithm.It givesthe adversary the resulting system parameters params.It keeps the master-key to itself.Phase1:The adversary issues private key extraction queries ID1,...,ID m.The challengerresponds by running algorithm Extract to generate the private key d i corresponding tothe public key ID i.It sends d i to the adversary.These queries may be asked adaptively.Challenge:Once the adversary decides that Phase1is over it outputs two equal lengthplaintexts M0,M1∈M and a public key ID on which it wishes to be challenged.Theonly constraint is that ID did not appear in any private key extraction query in Phase1.The challenger picks a random bit b∈{0,1}and sets C=Encrypt(params,ID,M b).Itsends C as the challenge to the adversary.Phase2:The adversary issues more extraction queries ID m+1,...,ID n.The only constraintis that ID i=ID.The challenger responds as in Phase1.Guess:Finally,the adversary outputs a guess b ∈{0,1}and wins the game if b=b .We refer to such an adversary A as an IND-ID-CPA adversary.As we did above,theadvantage of an IND-ID-CPA adversary A against the scheme E is the following function of the security parameter k:Adv E,A(k)= Pr[b=b ]−12 .The probability is over the random bits used by the challenger and the adversary.Definition2.2.We say that the IBE system E is semantically secure if for any polynomial time IND-ID-CPA adversary A the function Adv E,A(k)is negligible.As shorthand,we say that E is IND-ID-CPA secure.One way identity-based encryption.One can define an even weaker notion of security called one-way encryption(OWE)[16].Roughly speaking,a public key encryption scheme is a one-way encryption if given the encryption of a random plaintext the adversary cannot produce the plaintext in its entirety. One way encryption is a weak notion of security since there is nothing preventing the adversary from, say,learning half the bits of the plaintext.Hence,one-way encryption schemes do not generally provide secure encryption.In the random oracle model one-way encryption schemes can be used for encrypting session-keys(the session-key is taken to be the hash of the plaintext).We note that one can extend the notion of one-way encryption to identity based systems by adding private key extraction queries to the definition.We do not give the full definition here since in this paper we use semantic security as the weakest notion of security.See[5]for the full definition of identity based one-way encryption,and its use as part of an alternative proof strategy for our main result.Random oracle model.To analyze the security of certain natural cryptographic constructions Bel-lare and Rogaway introduced an idealized security model called the random oracle model[3].Roughlyspeaking,a random oracle is a function H:X→Y chosen uniformly at random from the set of all functions{h:X→Y}(we assume Y is afinite set).An algorithm can query the random oracle at any point x∈X and receive the value H(x)in response.Random oracles are used to model crypto-graphic hash functions such as SHA-1.Note that security in the random oracle model does not imply security in the real world.Nevertheless,the random oracle model is a useful tool for validating natural cryptographic constructions.Security proofs in this model prove security against attackers that are confined to the random oracle world.Notation.From here on we use Z q to denote the group{0,...,q−1}under addition modulo q.For a group G of prime order we use G∗to denote the set G∗=G\{O}where O is the identity element in the group G.We use Z+to denote the set of positive integers.3Bilinear maps and the Bilinear Diffie-Hellman AssumptionLet G1and G2be two groups of order q for some large prime q.Our IBE system makes use of a bilinear mapˆe:G1×G1→G2between these two groups.The map must satisfy the following properties: 1.Bilinear:We say that a mapˆe:G1×G1→G2is bilinear ifˆe(aP,bQ)=ˆe(P,Q)ab for all P,Q∈G1 and all a,b∈Z.2.Non-degenerate:The map does not send all pairs in G1×G1to the identity in G2.Observe that since G1,G2are groups of prime order this implies that if P is a generator of G1thenˆe(P,P)is a generator of G2.putable:There is an efficient algorithm to computeˆe(P,Q)for any P,Q∈G1.A bilinear map satisfying the three properties above is said to be an admissible bilinear map.In Section5we give a concrete example of groups G1,G2and an admissible bilinear map between them. The group G1is a subgroup of the additive group of points of an elliptic curve E/F p.The group G2is asubgroup of the multiplicative group of afinitefield F∗p2.Therefore,throughout the paper we view G1as an additive group and G2as a multiplicative group.As we will see in Section5.1,the Weil pairing can be used to construct an admissible bilinear map between these two groups.The existence of the bilinear mapˆe:G1×G1→G2as above has two direct implications to these groups.The MOV reduction:Menezes,Okamoto,and Vanstone[32]show that the discrete log problem in G1is no harder than the discrete log problem in G2.To see this,let P,Q∈G1be an instance of the discrete log problem in G1where both P,Q have order q.We wish tofind anα∈Z q such that Q=αP.Let g=ˆe(P,P)and h=ˆe(Q,P).Then,by bilinearity ofˆe we know that h=gα.By non-degeneracy ofˆe both g,h have order q in G2.Hence,we reduced the discrete log problem in G1to a discrete log problem in G2.It follows that for discrete log to be hard in G1we must choose our security parameter so that discrete log is hard in G2(see Section5).Decision Diffie-Hellman is Easy:The Decision Diffie-Hellman problem(DDH)[4]in G1is to dis-tinguish between the distributions P,aP,bP,abP and P,aP,bP,cP where a,b,c are random in Z∗q and P is random in G∗1.Joux and Nguyen[28]point out that DDH in G1is easy.To see this,observe that given P,aP,bP,cP∈G∗1we havec=ab mod q⇐⇒ˆe(P,cP)=ˆe(aP,bP).The Computational Diffie-Hellman problem(CDH)in G1can still be hard(CDH in G1is tofind abP given random P,aP,bP ).Joux and Nguyen[28]give examples of mappingsˆe:G1×G1→G2where CDH in G1is believed to be hard even though DDH in G1is easy.3.1The Bilinear Diffie-Hellman Assumption(BDH)Since the Decision Diffie-Hellman problem(DDH)in G1is easy we cannot use DDH to build cryp-tosystems in the group G1.Instead,the security of our IBE system is based on a variant of the Computational Diffie-Hellman assumption called the Bilinear Diffie-Hellman Assumption(BDH). Bilinear Diffie-Hellman Problem.Let G1,G2be two groups of prime order q.Letˆe:G1×G1→G2be an admissible bilinear map and let P be a generator of G1.The BDH problem in G1,G2,ˆe is as follows:Given P,aP,bP,cP for some a,b,c∈Z∗q compute W=ˆe(P,P)abc∈G2.An algorithm A has advantage in solving BDH in G1,G2,ˆe ifPr A(P,aP,bP,cP)=ˆe(P,P)abc ≥where the probability is over the random choice of a,b,c in Z∗q,the random choice of P∈G∗1,and the random bits of A.BDH Parameter Generator.We say that a randomized algorithm G is a BDH parameter generator if(1)G takes a security parameter k∈Z+,(2)G runs in polynomial time in k,and(3)G outputs a prime number q,the description of two groups G1,G2of order q,and the description of an admissible bilinear mapˆe:G1×G1→G2.We denote the output of G by G(1k)= q,G1,G2,ˆe .The security parameter k is used to determine the size of q;for example,one could take q to be a random k-bit prime.For i=1,2we assume that the description of the group G i contains polynomial time(in k) algorithms for computing the group action in G i and contains a generator of G i.The generator of G i enables us to generate uniformly random elements in G i.Similarly,we assume that the description of ˆe contains a polynomial time algorithm for computingˆe.We give an example of a BDH parameter generator in Section5.1.BDH Assumption.Let G be a BDH parameter generator.We say that an algorithm A has advan-tage (k)in solving the BDH problem for G if for sufficiently large k:Adv G,A(k)=Pr A(q,G1,G2,ˆe,P,aP,bP,cP)=ˆe(P,P)abc q,G1,G2,ˆe ←G(1k),P←G∗1,a,b,c←Z∗q ≥ (k) We say that G satisfies the BDH assumption if for any randomized polynomial time(in k)algorithm A we have that Adv G,A(k)is a negligible function.When G satisfies the BDH assumption we say that BDH is hard in groups generated by G.In Section5.1we give some examples of BDH parameter generators that are believed to satisfy the BDH assumption.We note that Joux[26](implicitly)used the BDH assumption to construct a one-round three party Diffie-Hellman protocol.The BDH assumption is also needed for constructions in[46,40].Hardness of BDH.It is interesting to study the relationship of the BDH problem to other hard problems used in cryptography.Currently,all we can say is that the BDH problem in G1,G2,ˆe is no harder than the CDH problem in G1or G2.In other words,an algorithm for CDH in G1or G2is sufficient for solving BDH in G1,G2,ˆe .The converse is currently an open problem:is an algorithm for BDH sufficient for solving CDH in G1or in G2?We refer to a survey by Joux[27]for a more detailed analysis of the relationship between BDH and other standard problems.We note that in all our examples(in Section5.1)the isomorphisms from G1to G2induced by the bilinear map are believed to be one-way functions.More specifically,for a point Q∈G∗1define the isomorphism f Q:G1→G2by f Q(P)=ˆe(P,Q).If any one of these isomorphisms turns out to be invertible then BDH is easy in G1,G2,ˆe .Fortunately,an efficient algorithm for inverting f Q for some fixed Q would imply an efficient algorithm for deciding DDH in the group G2.In all our examples DDH is believed to be hard in the group G2.Hence,all the isomorphisms f Q:G1→G2induced by the bilinear map are believed to be one-way functions.4Our Identity-Based Encryption SchemeWe describe our scheme in stages.First we give a basic identity-based encryption scheme which is not secure against an adaptive chosen ciphertext attack.The only reason for describing the basic scheme is to make the presentation easier to follow.Our full scheme,described in Section4.2,extends the basic scheme to get security against an adaptive chosen ciphertext attack(IND-ID-CCA)in the random oracle model.In Section4.3we relax some of the requirements on the hash functions.The presentation in this section uses an arbitrary BDH parameter generator G satisfying the BDH assumption.In Section5we describe a concrete IBE system using the Weil pairing.4.1BasicIdentTo explain the basic ideas underlying our IBE system we describe the following simple scheme,called BasicIdent.We present the scheme by describing the four algorithms:Setup,Extract,Encrypt,Decrypt. We let k be the security parameter given to the setup algorithm.We let G be some BDH parameter generator.Setup:Given a security parameter k∈Z+,the algorithm works as follows:Step1:Run G on input k to generate a prime q,two groups G1,G2of order q,and an admissible bilinear mapˆe:G1×G1→G2.Choose a random generator P∈G1.Step2:Pick a random s∈Z∗q and set P pub=sP.Step3:Choose a cryptographic hash function H1:{0,1}∗→G∗1.Choose a cryptographic hash function H2:G2→{0,1}n for some n.The security analysis will view H1,H2as random oracles. The message space is M={0,1}n.The ciphertext space is C=G∗1×{0,1}n.The system parameters are params= q,G1,G2,ˆe,n,P,P pub,H1,H2 .The master-key is s∈Z∗q.Extract:For a given string ID∈{0,1}∗the algorithm does:(1)computes Q ID=H1(ID)∈G∗1,and (2)sets the private key d ID to be d ID=sQ ID where s is the master key.Encrypt:To encrypt M∈M under the public key ID do the following:(1)compute Q ID=H1(ID)∈,(2)choose a random r∈Z∗q,and(3)set the ciphertext to beG∗1) where g ID=ˆe(Q ID,P pub)∈G∗2C= rP,M⊕H2(g rID。

信息系统安全工程_密码学基础和古典加密_软件

信息系统安全工程_密码学基础和古典加密_软件

密码分析的攻击条件

根据密码分析者对明文、密文等信息掌握的多 少,可将密码分析分为以下四种情形(强度依 次递增 ):

1、唯密文攻击(Ciphertext Only Attack):破译 者仅有待破译的密文。 2、已知明文攻击(Known Plaintext Attack):破 译者拥有一定数量的密文和对应的明文。 3、选择明文攻击(Chosen Plaintext Attack): 破译者可以选定一些明文,并获得对应的密文。 4、选择密文攻击(Chosen Ciphertext Attack): 破译者可以选定一些密文,并获得对应的明文。

密钥空间:26
对移位密码的强行攻击


由于移位密码的可能密钥只有 26 个,因此可以对密 钥进行穷举尝试,将每一个密钥带入解密规则,直到 获得一个“有意义”的明文串 例如对于前面凯撒密码的例子进行强行攻击如下(唯 密文攻击):
Key P H H W P H D I W H U W K H W R J D S D U W B 1 2 3 o g g v o g c h v g t v j g v q i c r c t v a n f f u n f b g u f s u i f u p h b q b s u z m e e t m e a f t e r t h e t o g a p a r t y

2、可证明安全性


3、无条件安全性

2、密码体制分类


按通信双方使用的密钥,分为单钥密码体制 和公钥密码体制 按对明文数据的处理方式,分为分组密码体 制和流密码体制
单钥体制和公钥体制

单钥体制
也叫对称加密体制或常规加密体制 同一次加解密中发送者和接收者使用相同的密 钥(或虽然不同,但容易从一个密钥推出另一 个密钥)

素数无限证明及对RSA攻击描述

素数无限证明及对RSA攻击描述

1、证明素数为无限的用反证法证明。

假设素数只有有限的n个,从小到大依次排列为p1,p2,...,pn,则x = (p1·p2·...·pn)+1 显然是不能被p1,p2,...,pn中的任何一个素数整除的,因此x也是一个素数,这和只有n个素数矛盾,所以素数是无限多的。

2、针对RSA的攻击潜在攻击的分类:(1)因数分解攻击(Factorization Attack)RSA的安全性基于这么一种想法,那就是模要足够大以至于在适当的时间内把它分解是不可能的。

乙选择p和q,并且计算出n = p×q。

虽然n是公开的,但p和q是保密的。

如果甲能分解n并获得p和q,她就可以计算出。

然后,因为e是公开的,甲还可以计算出。

私密指数d是甲可以用来对任何加密信息进行解密的暗门。

有许多种因数分解算法,但是没有一种可以分解带有多项式时间复杂度的大整数。

为了安全,目前的RSA要求n必须大于300个十进制数位,这就是说模必须最小是1024比特。

即使运用现在最大最快的计算机,分解这么大的整数所要花费的时间也是不可想象的。

这就表明只要还没有发现更有效的因数分解算法,RSA就是安全的。

(2)选择密文攻击(chosen-Ciphertext attack)针对RSA的潜在攻击都基于RSA的乘法特性,我们假定丙创建了密文C = Pe mod n并且把C发送给乙。

我们也假定乙要对甲的任意密文解密,而不是只解密C。

甲拦截C并运用下列步骤求出P:(1) 甲选择中的一个随机整数X。

(2) 甲计算出。

(3) 为了解密甲把Y发送给乙并得到;这个步骤就是选择密文攻击的一个例子。

(4) 甲能够很容易地得到P,因为甲运用扩展的欧几里得算法求X的乘法逆,并最终求得。

(3)对加密指数的攻击为了缩短加密时间,使用小的加密指数e是非常诱人的。

普通的e值是e = 3(第二个素数)。

不过有几种针对低加密指数的潜在攻击,在这里我们只作简单的讨论。

《信息安全原理与技术》试题与答案

《信息安全原理与技术》试题与答案

《信息安全原理与技术》试题与答案《信息安全原理与技术》试题与答案⼀、写出下⾯术语的中⽂名称Block Cipher 分组密码Ciphertext 密⽂(密码:Cipher)Known-Plaintext Attack 已知明⽂攻击Encryption 加密Non-Repudiation 不可否认性Key Distribution Center 秘钥分配中⼼Denial of Service拒绝服务Data Integrity数据完整性AES ⾼级加密标准(Advanced encryption Standards)Authorization 认证;授权Relpay Attack 重放攻击One-way Function 单向函数Brute Force Search 穷举攻击Stream Cipher 流密码Symmetric Encryption 对称加密Asymmetric Encryption ⾮对称密码体制Ciphertext-only Attack 唯密⽂攻击Known-Plaintext Attack 已知明⽂攻击Chosen-Plaintext Attack 选择明⽂攻击Man-in-the-Middle Attack 中间⼈攻击Message Authentication Code 消息认证码Hashed Message Authentication Code 散列消息认证码Digital Signature 数字签名Secure Socket Layer 安全套接字层(SSL)⼆、选择题1.如果m表⽰明⽂,c表⽰密⽂,E代表加密变换,D代表解密变换,则下列表达式中描述加密过程的是( A )A、c=E(m)B、c=D(m)C、m=E(c)D、m=D(c)2.将获得的信息再次发送以在⾮授权情况下进⾏传输,这属于(D )A 窃听B篡改C 伪装D 重放3. DES加密过程⽤以下形式交换,其中正确的是( B )A、Li-1=Ri-1 Ri-1=Li-1⊕f(R i,Ki) i=1,2,3, (16)B、Li=Ri-1 Ri=Li-1⊕f(Ri-1,Ki) i=1,2,3, (16)C、Li-1=Ri+1 Ri=Li+1⊕f(Ri-1,Ki) i=1,2,3, (16)D、Li-1=Ri-1 Ri=Li+1⊕f(Ri-1,Ki) i=0,1,2,3, (15)4. 在不知道密钥的情况下,通过获取密⽂⽽恢复明⽂的⽅法是。

无证书签密的通用可组合机制

无证书签密的通用可组合机制

UNIVERSALLYCOMPOSABLEMECHANISM FORCERTIFICATELESSSIGNCRYPTION
WangLinjie1,2 TianYouliang2,3
1(SchoolofDataScience,TongrenUniversity,Tongren554300,Guizhou,China) 2(CollegeofComputerScienceandTechnology,GuizhouUniversity,Guiyang550025,Guizhou,China)
收稿日期:2019-09-25。国家自然科学基金项目(61962009,61772008);贵州省科技重大专项计划项目(20183001);贵州省科 技计划项目([2019]1098,ZK[2021]-325);贵州省高层次创新人才项目([2020]6008);贵州省研究生基金项目(yjscxjh2019101); 铜仁市科技计划项目([2020]78号)。王琳杰,副教授,主研领域:网络信息安全。田有亮,教授。
1.2 无证书签密协议
定义 3[12] 一个无证书的签密方案是由系统初始 化、部分密钥生成、私钥生成、签密算法和解签密算法 五个多项式时间算法组成。该方案的合法参与者有签 密者 P、签密消息接受者 R和密钥生成中心 PKG。
1)系统初始化(Setup):PKG输入安全参数 1λ,生 成输 出 主 密 钥 s和 系 统 参 数 params,保 密 s,公 开 params。
318
计算机应用与软件
2021年
(Identitydocument,ID),它 们 都 保 存 在 一 个 称 为 可 信 中心(CA)的机构里面。如果想要与网络中某人通信 就要到 CA中查找相应人员的 ID,但是在实际的运行 中发现有不可信的 CA进行伪造或者修改过期 ID的 操作,为此密码界的学者想方设法解决不可信 CA的 问题。1984年,Shamir[4]在基于身份的公钥加密体制 方案中提出了一个密钥管理问题,而 ALRiyami等[5] 为了解决上述密钥管理问题,于 2003年首次提出一种 无证书的公钥密码体制,其中用户的私钥是由用户在 KGC生成的主密钥的基础上随机选取秘密值生成的, 由此克服了传统公钥密码体制中密钥托管问题。

信息安全工程师教程内1.5节专业英语翻译

信息安全工程师教程内1.5节专业英语翻译

Cryptography is the practice and study of hiding information. In modern times, cryptography is considered a branch of both mathematics and computer science, and is affiliated closely with information theory,computer security, and engineering. Cryptography is used in applications present in technologically advanced societies; examples include the security of ATM cards, computer passwords,and electronic commerce, which all depend on cryptography.密码学是信息隐藏的实践与研究。

现代密码学被认为是数学和计算机科学的一个分支,它与信息论、计算机安全和工程密切相关。

密码技术被应用于技术先进的社会中,例如A TM卡、计算机密码和电子商务的安全,这些都依赖于密码学。

(1 )TerminologyUntil modem times, cryptography referred almost exclusively to encryption, the process of converting ordinary information (plaintext) into unintelligible gibberish (i.e., ciphertext). Decryption is the reverse, moving from unintelligible ciphertext to plaintext. A cipher (or cypher) is a pair of algorithms which creates the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and, in each instance, by a key. This is a secret parameter (ideal以known only to the communicants) for a specific message exchange context. Keys are important, as ciphers without variable keys are trivially breakable and therefore less than useful for most purposes. Historically, ciphers were often used directly for encryption or decryption, without additional procedures such as authentication or integrity checks.直到近代,加密提到几乎完全加密,普通的转换过程的信息(明文)到不知所云胡言乱语(即密文)。

02 古典密码及分析

02 古典密码及分析


已知明文攻击,known plaintext

选择明文攻击,chosen plaintext

选择密文攻击,chosen ciphertext

选择文本攻击,chosen text

西安电子科技大学计算机学院
7
基于密码分析的攻击
Cryptanalytic Attacks
An algorithm that meets one or both of the following criteria:
An encryption scheme is said to be computationally secure if either of the foregoing two criteria are met.
unconditionally secure
8
西安电子科技大学计算机学院
穷举攻击
Key Size (bits)


西安电子科技大学计算机学院
15
对称密码模型
(Symmetric Cipher Model)
西安电子科技大学计算机学院
16
西安电子科技大学计算机学院
17

对称密码安全的两个必备条件:

加密算法必须是足够强的 a strong encryption algorithm 惟有发送者和接收者知道的秘密密钥 a secret key known only to sender / receiver C = EK(P) P = DK(C)
10
密码学的发展历史

第1阶段:1949年以前

1949年以前的密码技术可以说是一种艺术,而不是一种科 学,那时的密码专家是凭直觉和信念来进行密码设计和分 析的,而不是靠推理证明。

网络信息安全-密码学基本概念

网络信息安全-密码学基本概念

密码学基本概念一.学科分类密码术(Cryptology)(1)密码学(Cryptography)研究如何构建强大、有效的加密/解密方法体系的学科(2)密码分析学(Cryptanalysis)研究加密/解密方法体系所存在的弱点,找出破译密码方法的学科二. 基本加密通信模型Alice Bob & Eve 的加密通信:Alice和Bob 要进行通信,而Eve将会截获他们的消息,所以他们使用加密的方法通信1. 基本概念明文(Plaintext)是一组Alice和Bob都能够理解其含义的消息或者数据密文(Cipher text )是一组变换后的数据或消息,它使得非法用户不能理解其中的信息密钥(Key)能控制变化结果的参数信息加密(Encryption)使用一套变换方法,使其输出的密文依赖于输入的明文和加密密钥(eKey)解密(Decryption)使用一套变换方法,使其输出的明文依赖于输入的密文和解密密钥(dKey)用符号表示加密:Cipher text = Encryption (Plaintext, eKey)解密:Plaintext = Decryption (Cipher text, dKey)2. 体系划分以加密密钥和解密密钥的关系来划分为体系:1。

如果加密密钥(eKey)和解密密钥(dKey)相同,或者实质上相同,这样的加密体系称为单钥或对称密钥体系2。

如果加密密钥(eKey)和解密密钥(dKey)不相同,或者很难从其中一个密钥推导出另一个密钥,这样的加密体系称为双钥或非对称密钥体系三. 实例1 对称密钥在经典加密方法中使用两种类型进行变换:(1)换位法(Permutation cipher / Transposition cipher):明文中的每个字母或符号没有改变,但它们在密文中的位置进行了重新排列。

经典换位加密法(2)替换法(Substitution cipher):将明文中每个字母、数字、符号按一定规则替换成另外一个符号。

可证明安全的抗量子高效口令认证密钥交换协议

可证明安全的抗量子高效口令认证密钥交换协议

可证明安全的抗量子高效口令认证密钥交换协议尹安琪;汪定;郭渊博;陈琳;唐迪【期刊名称】《计算机学报》【年(卷),期】2022(45)11【摘要】基于格的口令认证密钥交换(Password-Authenticated Key Exchange,PAKE)协议在后量子时代具有广泛的应用前景.降低通信轮次可以有效提高执行效率,也是格上PAKE协议的重要优化方向.现有基于格的低轮次PAKE协议的构建方法主要有两种:一种是基于非交互式零知识(Non-Interactive Zero-Knowledge,NIZK)证明,但在标准模型下如何在格上实现NIZK证明仍然是公开问题;另一种虽然宣称基于不可区分适应性选择密文攻击(Indistinguishability under Adaptive Chosen-Ciphertext Attack,IND-CCA2)的安全模型,但实际上只采用了不可区分性选择密文攻击(Indistinguishability under Chosen-Ciphertext Attack,IND-CCA1)安全的公钥加密(Public Key Encryption,PKE)方案,该类PAKE 协议在现实应用时需要利用签名/验签等技术才能保证安全性.这两种方法都会增加计算和通信开销.为此,本文利用带误差学习(Learning with Errors,LWE)问题的加法同态属性,提出了一种格上IND-CCA2安全的非适应性平滑投影哈希函数(Smooth Projective Hash Function,SPHF),该函数支持一轮PAKE协议的构造;并确定了所基于的PKE方案中相关参数的大小,从而消除了LWE问题的不完全加法同态属性对SPHF正确性的影响.尽所知,这是格上第一个直接基于IND-CCA2安全模型的非适应性SPHF,且该SPHF具有相对独立的研究价值,可应用于证据加密、零知识证明和不经意传输等领域.基于此,本文构建了一种格上可证明安全的高效PAKE协议.该协议可以抵御量子攻击;只需要一轮通信,因而具有最优的通信轮次;是基于标准模型,所以避免了使用随机预言机的潜在安全威胁,特别是使用随机预言机可能导致格上PAKE协议遭受离线口令猜测攻击和量子攻击;在实际应用时,该协议也不需要利用NIZK证明和签名/验签等技术来保证安全性,这有效提高了执行效率.本文还利用人人网474万口令数据验证了基于CDF-Zipf定律的PAKE协议安全模型可以更加准确地评估PAKE协议所提供的安全强度;最后基于该安全性模型,本文在标准模型下对所提出的PAKE协议进行了严格的安全性证明.实验结果表明,与其它相关协议相比,本文协议具有最优的整体执行效率和最低的通信开销.【总页数】16页(P2321-2336)【作者】尹安琪;汪定;郭渊博;陈琳;唐迪【作者单位】信息工程大学电子技术学院;南开大学网络空间安全学院;天津市网络与数据安全技术重点实验室(南开大学)【正文语种】中文【中图分类】TP393【相关文献】1.一种高效的匿名口令认证密钥交换协议2.基于RLWE问题的后量子口令认证密钥交换协议3.后量子基于验证元的三方口令认证密钥交换协议4.可证明安全的抗量子两服务器口令认证密钥交换协议5.格上基于密文标准语言的可证明安全两轮口令认证密钥交换协议因版权原因,仅展示原文概要,查看原文内容请购买。

密码编码学与网络安全中文答案

密码编码学与网络安全中文答案

密码编码学与网络安全中文答案密码编码学与网络安全中文答案【篇一:密码编码学与网络安全第四版第二章答案翻译】是对称密码的本质成分?plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.明文加密算法密钥密文解密算法2.2 密码算法中两个基本函数式什么?permutation and substitution.代换和置换p202.3用密码进行通信的两个人需要多少密钥?对称密码只需要一把,非对称密码要两把p202.4 分组密码和流密码的区别是什么?a stream cipher is one that encrypts a digital data stream one bit or one byte at a time. a block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.分组密码每次输入的一组元素,相应地输出一组元素。

流密码则是连续地处理输入元素,每次输出一个元素。

p202.5攻击密码的两种一般方法是什么?cryptanalysis and brute force.密码分析和暴力破解2.6列出并简要定力基于攻击者所知道信息的密码分析攻击类型。

ciphertext only. one possible attack under these circumstances is the brute-force approach of trying all possible keys. if the key space is very large, this becomes impractical. thus, the opponent must rely on an analysis of the ciphertext itself, generally applying various statistical tests to it.known plaintext.the analyst may be able to capture one or more plaintext messages as well as their encryptions. with this knowledge, the analyst may be able to deduce the key on the basis of the way in which the known plaintext is transformed.chosen plaintext. if the analyst is able to choose themessages to encrypt, the analyst may deliberately pickpatterns that can be expected to reveal the structure of the key.惟密文已知明文选择明文2.7无条件安全密码和计算上安全密码的区别是什么?an encryption scheme is unconditionally secure if the ciphertext generated by the scheme does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available. an encryption scheme is said to be computationally secure if:(1) the cost of breaking the cipher exceeds the value of the encrypted information, and (2) the time required to break the cipher exceeds the useful lifetime of the information.书本p212.8简要定义caesar密码the caesar cipher involves replacing each letter of the alphabet with the letter standing k places further down the alphabet, for k in the range 1 through 25.书本p222.9简要定义单表代换密码a monoalphabetic substitution cipher maps a plaintext alphabet to a ciphertext alphabet, so that each letter of the plaintext alphabet maps to a single unique letter of the ciphertext alphabet.2.10简要定义playfair密码the playfair algorithm is based on the use of a 5?5 matrix of letters constructed using a keyword. plaintext is encrypted two letters at a time using this matrix.书本p262.11单表代换密码和夺标代换密码的区别是什么?a polyalphabetic substitution cipher uses a separate monoalphabetic substitution cipher for each successive letter of plaintext, depending on a key.书本p302.12一次一密的两个问题是什么?1. there is the practical problem of making large quantities of random keys. any heavily usedsystem might require millions of random characters on a regular basis. supplying truly random characters in this volume isa significant task.2. even more daunting is the problem of key distribution and protection. for every message to be sent, a key of equal length is needed by both sender and receiver. thus, a mammoth key distribution problem exists.书本p332.13什么是置换密码?a transposition cipher involves a permutation of the plaintext letters.书本p332.14什么是隐写术?steganography involves concealing the existence of a message.书本p362.1a.对b的取值是否有限制?解释原因。

密码习题与部分参考答案

密码习题与部分参考答案

一、密码学概述部分:1、什么是密码体制的五元组。

五元组(M,C,K,E,D)构成密码体制模型,M代表明文空间;C代表密文空间;K代表密钥空间;E代表加密算法;D 代表解密算法2、简述口令和密码的区别。

密码:按特定法则编成,用以对通信双方的信息进行明、密变换的符号。

换而言之,密码是隐蔽了真实内容的符号序列。

就是把用公开的、标准的信息编码表示的信息通过一种变换手段,将其变为除通信双方以外其他人所不能读懂的信息编码,这种独特的信息编码就是密码。

口令:是与用户名对应的,用来验证是否拥有该用户名对应的权限。

密码是指为了保护某种文本或口令,采用特定的加密算法,产生新的文本或字符串。

区别:从它们的定义上容易看出;当前,无论是计算机用户,还是一个银行的户头,都是用口令保护的,通过口令来验证用户的身份。

在网络上,使用户口令来验证用户的身份成了一种基本的手段。

3、密码学的分类标准:⏹按操作方式可分为:替代、置换、复合操作⏹按使用密钥的数量可分为:对称密钥(单密钥)、公开密钥(双秘钥)⏹按对明文的处理方法可分为:流密码、分组密码4、简述柯克霍夫斯原则(及其特点和意义。

?)即使密码系统中的算法为密码分析者所知,也难以从截获的密文推导出明文或密钥。

也就是说,密码体制的安全性仅应依赖于对密钥的保密,而不应依赖于对算法的保密。

只有在假设攻击者对密码算法有充分的研究,并且拥有足够的计算资源的情况下仍然安全的密码才是安全的密码系统。

一句话:“一切秘密寓于密钥之中”Kerckhoffs原则的意义:⏹知道算法的人可能不再可靠⏹设计者有个人爱好⏹频繁更换密钥是可能的,但无法频繁更换密码算法(设计安全的密码算法困难)5、密码攻击者攻击密码体制的方法有三种分别是:⏹穷举:尝试所有密钥进行破译。

(增大密钥的数量)⏹统计分析:分析密文和明文的统计规律进行破译。

(使明文和密文的统计规律不一样)⏹解密变换:针对加密变换的数学基础,通过数学求解找到解密变换。

Ciphertext-Policy Attribute-Based Encryption

Ciphertext-Policy Attribute-Based Encryption


1
Introduction
Public-Key encryption is a powerful mechanism for protecting the confidentiality of stored and transmitted information. Traditionally, encryption is viewed as a method for a user to share data to a targeted user or device. While this is useful for applications where the data provider knows specifically which user he wants to share with, in many applications the provider will want to share data according to some policy based on the receiving user’s credentials. Sahai and Waters [36] presented a new vision for encryption where the data provider can express how he wants to share data in the encryption algorithm itself. The data provider will provide a predicate f (·) describing how he wants to share the data and a user will be ascribed a secret key associated with their credentials X ; the user with credentials X can decrypt a ciphertext encrypted with predicate f if f (X ) = 1. Sahai and Waters [36] presented a particular formulation of this problem that they called Attribute-Based Encryption (ABE), in which a user’s credentials is represented by a set of string called “attributes” and the predicate is represented by a formula over these attributes. Several techniques used by SW were inspired by prior work on Identity-Based Encryption [37, 13, 24, 18, 10]. One drawback of the Sahai-Waters approach is that their initial construction was limited to handling formulas consisting of one threshold gate. In subsequent work, Goyal, Pandey, Sahai, and Waters [28] further clarified the concept of Attribute-Based Encryption. In particular, they proposed two complementary forms of ABE. In the first, Key-Policy ABE, attributes are used to annotate the ciphertexts and formulas over these attributes are ascribed to users’ secret keys. The second type, Ciphertext-Policy ABE, is complementary in that attributes are used to describe the user’s credentials and the formulas over these credentials are attached to the ciphertext by the encrypting party. In addition, Goyal et al. [28] provided a construction for Key-Policy ABE that was very expressive in that it allowed the policies (attached to keys) to be expressed by any monotonic formula over encrypted data. The system was proved selectively secure under the Bilinear Diffie-Hellman assumption. However, they left creating expressive Ciphertext Policy ABE schemes as an open problem. The first work to explicitly address the problem of Ciphertext-Policy Attribute-Based Encryption was by Bethencourt, Sahai, and Waters [7]. They described an efficient system that was expressive in that it allowed an encryptor to express an access predicate f in terms of any monotonic formula over attributes. Their system achieved analogous expressiveness and efficiency to the Goyal et al. construction, but in the Ciphertext-Policy ABE setting. While the BSW construction is very expressive, the proof model used was less than ideal — the authors only showed the scheme secure in the generic group model, an artificial model which assumes the attacker needs to access an oracle in order to perform any group operations.1 Recently, ABE has been applied in building a variety of secure systems [35, 41, 9, 8]. These systems motivate the need for ABE constructions that are both foundationally sound and practical. Ciphertext Policy ABE in the Standard Model The lack of satisfaction with generic group model proofs has motivated the problem of finding an expressive CP-ABE system under a more solid model. There have been multiple approaches in this direction. First, we can view the Sahai-Waters[36] construction most “naturally” as Key-Policy ABE for a threshold gate. In their work, Sahai and Waters describe how to realize Ciphertext-Policy ABE

同态加密——精选推荐

同态加密——精选推荐

同态加密⼀:什么是同态加密(Homomorphic Encryption)Craig Gentry给出的直观定义:A way to delegate processing of your data, without giving away access to it. ⼀般的加密⽅案关注的都是数据存储安全。

没有密钥的⽤户,不可能从加密结果中得到有关原始数据的任何信息。

我们注意到,这个过程中⽤户是不能对加密结果做任何操作的,只能进⾏存储、传输。

对加密结果做任何操作,都将会导致错误的解密,甚⾄解密失败。

同态加密⽅案最有趣的地⽅在于,其关注的是数据处理安全。

同态加密提供了⼀种对加密数据进⾏处理的功能。

也就是说,其他⼈可以对加密数据进⾏处理,但是处理过程不会泄露任何原始内容。

同时,拥有密钥的⽤户对处理过的数据进⾏解密后,得到的正好是处理后的结果。

⼆:同态加密有什么⽤处?同态加密⼏乎就是为云计算⽽量⾝打造的!我们考虑下⾯的情景:⼀个⽤户想要处理⼀个数据,但是他的计算机计算能⼒较弱。

这个⽤户可以使⽤云计算的概念,让云来帮助他进⾏处理⽽得到结果。

但是如果直接将数据交给云,⽆法保证安全性啊!于是,他可以使⽤同态加密,然后让云来对加密数据进⾏直接处理,并将处理结果返回给他。

这样⼀来:⽤户向云服务商付款,得到了处理的结果;云服务商挣到了费⽤,并在不知道⽤户数据的前提下正确处理了数据;但是,这么好的特性肯定会带来⼀些缺点。

同态加密现在最需要解决的问题在于:效率。

效率⼀词包含两个⽅⾯,⼀个是加密数据的处理速度,⼀个是这个加密⽅案的数据存储量。

业界如何评价全同态加密的构造?在此引⽤⼀个前辈的话:如果未来真的做出了Practical Fully Homomorphic Encryption,那么Gentry⼀定可以得到图灵奖。

(第⼀个构造出全同态加密⽅案的⼈是Gentry)三:同态加密具体如何定义?我们在云计算应⽤场景下⾯进⾏介绍:Alice通过Cloud,以Homomorphic Encryption(以下简称HE)处理数据的整个处理过程⼤致是这样的:1. Alice对数据进⾏加密。

密码学中的随机预言模型与标准模型

密码学中的随机预言模型与标准模型

密码学中的随机预言模型与标准模型王晓生;李莉【摘要】随机预言模型与标准模型是密码学可证明安全理论中非常重要的两类模型.在此对这两种模型进行了描述,并研究了运用它们证明密码方案或协议安全性时所采取的不同技术,包括随机预言模型在加密和数字签名方案中的应用研究,以及标准模型下可证明安全性理论在加密方案中的应用研究.此外对进一步研究方向进行了展望.%The random oracle model and standard model are two important ones in the theory of provable security in cryptography. These two models are described and the different technique for proving cryptographic scheme and protocol security when using these models is researched. The application research on the random oracle model in encryption and digital signature schemes, and the theory of provable security under standard model in encryption scheme was carried out. The further research direction is pointed out.【期刊名称】《现代电子技术》【年(卷),期】2011(034)017【总页数】4页(P98-100,103)【关键词】可证明安全性;随机预言模型;标准模型;加密方案【作者】王晓生;李莉【作者单位】陕西青年职业学院,陕西西安 710068;西安文理学院初等教育学院,陕西西安710001【正文语种】中文【中图分类】TN918.1-340 引言随机预言模型和标准模型在密码学的可证明安全性中扮演着重要角色。

抗自适应性选择密文攻击的公钥加密系统

抗自适应性选择密文攻击的公钥加密系统
抗自适应性选择密文攻击的公钥加密系统4522安全证明相关定义义定义2不可区分安全游戏35设?为任意一个公钥加密方案?为任意一概率多项式时间的敌手则indcpa和indcca2安全游戏被定义如下以下定义中提及的加密谕言机实际上就是公钥加密系统也就是说敌手可以自己运行加密系统产生明文与密文对
密码学报 ISSN 2095-7025 CN 10-1195/TN Journal of Cryptologic Research,2016,3(1):42–55 ©《密码学报》编辑部版权所有.
44
Journal of Cryptologic Research 密码学报 Vol.3, No.1, Feb. 2016
小解密指数: Boneh[11]等人在 Wiener[12]的基础上证明了, 如果 RSA 的解密指数小于 n0.292 , 同样会不 安全; 此后出现了很多改进的攻击, 如文献[13,14,15]; (4) 多模攻击: Nitaj A[16]于 2014 年提出一个利用格基约化算法能同时分解多个 RSA 模的攻击方案. 面对上述攻击, 目前使用 RSA 体制的用户只能做一些被动的防御: 提高模长度与优化系统参数. 文 献[17]指出时至 2013 年低于 2048 位的 RSA 模只有 RSA-896、RSA-1024、RSA-1536 和 RSA-2048 还未有 人能够分解; 文献[18,19]分析了它们能抵抗已知的小加密指数 e 的攻击; 文献[20]指出在环 Z n 上圆锥曲线 RSA 型加密系统与 KMOV 加密系统中, 只有当素数 p 和 q 满足 q p 2q 且 1 d 1 3 n1 4 时 Wiener 攻击 才 失 效 ; 文 献 [21] 指 出 在 RSA 加 密 系 统 中 , 只 有 当 素 数 p 和 q 满 足 q p 2q 、 1 d 1 3 n1 4 和

无陷门格基签密方案

无陷门格基签密方案

无陷门格基签密方案路秀华;温巧燕;王励成;杜蛟【摘要】The existing lattice-based signcryption schemes are based on trapdoor generation algorithm and preimage sample algorithm. However, both algorithms are complex, require a lot of time to run, and affect the efficiency of latticed-based signcryption schemes deeply. To solve this problem, the first lattice-based signcryption scheme without trapdoor generation algorithm and preimage sample algorithm is proposed, with the help of the technique of lattice signatures without trapdoors and the associated signature compression technique, as well as the encryption method based on the learning with errors assumption. The scheme achieves indistinguishability against adaptive chosen ciphertext attacks under the learning with errors assumption. It also achieves existential unforgeability against adaptive chosen message attacks under the small integer solution assumption. The proposed scheme is not only quantum resistant, but also efficient.%现有的格基签密方案以陷门产生算法和原像取样算法为核心算法。

密码习题及部分参考答案

密码习题及部分参考答案

一、密码学概述部分:1、什么是密码体制的五元组。

五元组(M,C,K,E,D)构成密码体制模型,M代表明文空间;C代表密文空间;K代表密钥空间;E代表加密算法;D 代表解密算法2、简述口令和密码的区别。

密码:按特定法则编成,用以对通信双方的信息进行明、密变换的符号。

换而言之,密码是隐蔽了真实内容的符号序列。

就是把用公开的、标准的信息编码表示的信息通过一种变换手段,将其变为除通信双方以外其他人所不能读懂的信息编码,这种独特的信息编码就是密码。

口令:是与用户名对应的,用来验证是否拥有该用户名对应的权限。

密码是指为了保护某种文本或口令,采用特定的加密算法,产生新的文本或字符串。

区别:从它们的定义上容易看出;当前,无论是计算机用户,还是一个银行的户头,都是用口令保护的,通过口令来验证用户的身份。

在网络上,使用户口令来验证用户的身份成了一种基本的手段。

3、密码学的分类标准:⏹按操作方式可分为:替代、置换、复合操作⏹按使用密钥的数量可分为:对称密钥(单密钥)、公开密钥(双秘钥)⏹按对明文的处理方法可分为:流密码、分组密码4、简述柯克霍夫斯原则(及其特点和意义。

?)即使密码系统中的算法为密码分析者所知,也难以从截获的密文推导出明文或密钥。

也就是说,密码体制的安全性仅应依赖于对密钥的保密,而不应依赖于对的保密。

只有在假设攻击者对密码算法有充分的研究,并且拥有足够的计算资源的情况下仍然安全的密码才是安全的密码系统。

一句话:“一切秘密寓于密钥之中”Kerckhoffs原则的意义:⏹知道算法的人可能不再可靠⏹设计者有个人爱好⏹频繁更换密钥是可能的,但无法频繁更换密码算法(设计安全的密码算法困难)5、密码攻击者攻击密码体制的方法有三种分别是:⏹穷举:尝试所有密钥进行破译。

(增大密钥的数量)⏹统计分析:分析密文和明文的统计规律进行破译。

(使明文和密文的统计规律不一样)⏹解密变换:针对加密变换的数学基础,通过数学求解找到解密变换。

改进的可授权验证代理重加密方案(19日下午,詹宇)

改进的可授权验证代理重加密方案(19日下午,詹宇)

数据接收者
验证机构
数据 数据
skPKE
数据
公开验证
安全模型
—————————————
相关算法
• Setup(λ):输入安全参数λ,该算法输出系统参数param。 • KeyGen(param):输入系统参数param,该算法输出用户i的公私钥对(pki,ski)。
• VKGen(ski):输入私钥ski,该算法输出用户i的验证密钥vki。
第二级密文CCA安全模型—查询阶段
挑战者 敌手
对于上述谕言机(除了公钥谕言机),若询问涉及到pki,我们需要pki可以在Tpk 中找到,否则谕言机返回错误符号⊥。
第二级密文CCA安全模型—挑战阶段
挑战者 敌手
第二级密文CCA安全模型—猜测阶段
挑战者 敌手
第一级密文CCA安全模型—挑战阶段
挑战者 敌手
公开验证
验证方式
可授权验证
私有验证
我们的工作
提出了一个CCA安全的可授权验证代理重加密 方案
核心思想
可公开验证且 CCA安全
PRE
PRE.Enc(m)
数据
CCA安全
PKE
授权关键 skPKE
PKE.Enc(PRE.Enc(m))
数据
核心思想
数据接收者 数据 skPKE
数据
数据
私有验证
核心思想
⚫ [Weng]: 随机预言机模型下选择密文安全的代理重加密方案。 ⚫ [Isshiki]:标准模型下选择密文安全的代理重加密方案。
应用场景
⚫ [Ateniese]:保护密文发送者及接收者身份的信息的代理重加密
方案。 ⚫ [Sur]:无证书环境下的代理重加密方案。
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

Chosen-Ciphertext Secure Identity-BasedEncryption from Computational BilinearDiffie-HellmanDavid GalindoUniversity of Luxembourgdavid.galindo@uni.luAbstract.We extend a technique by Hanaoka and Kurosawa that pro-vides efficient chosen-ciphertext secure public key encryption based onthe Computational Diffie-Hellman assumption to the identity-based en-cryption setting.Our main result is an efficient chosen-ciphertext secureidentity-based encryption scheme with constant-size ciphertexts underthe Computational Bilinear Diffie-Hellman assumption in the standardmodel.Keywords:standard model,identity-based encryption,computationalbilinear Diffie-Hellman assumption,hardcore bits.1IntroductionDesigning efficient public key encryption schemes with chosen-ciphertext security under widely accepted hardness assumptions has been a challenging research direction in modern cryptography.Thefirst breakthrough in this area was the scheme by Cramer and Shoup[5],which had security based on the Decisional Diffie-Hellman assumption in the standard model.It is not until very recently that schemes with similar properties based on the Computational Diffie-Hellman assumption have been proposed by Cash,Kiltz and Shoup[4],Hanaoka and Kurosawa[9]and Haralambiev,Jager,Kiltz and Shoup[10].Identity-based encryption(IBE)[11,3]provides a public key encryption mech-anism where public keys are arbitrary strings id such as an email address or any other distinguished user identifier.In this work we extend the technique by Hanaoka and Kurosawa to the identity-based setting and provide an effi-cient chosen-ciphertext secure identity-based key encapsulation mechanism with constant-size ciphertexts under the Computational Bilinear Diffie-Hellman as-sumption in the standard model.2PreliminariesWe introduce some basic notation.If S is a set then s1,...,s n$←S denotes the operation of picking n elements s i of S independently and uniformly at random.M.Joye,A.Miyaji,and A.Otsuka(Eds.):Pairing2010,LNCS6487,pp.367–376,2010.c Springer-Verlag Berlin Heidelberg2010368 D.GalindoWe write A(x,y,...)to indicate that A is an algorithm with inputs x,y,...and by z←A(x,y,...)we denote the operation of running A with inputs(x,y,...) and letting z be the output.Throughout this paper we use the term“algorithm”as equivalent to“probabilistic polynomial-time algorithm”.If st1,st2are strings, then st1||st2denotes the concatenation.2.1Identity-Based Encryption and Identity-Based KeyEncapsulationA IBE schemeΠfor identities id∈Z∗p is specified by four algorithms(Setup, KeyGen,Encrypt,Decrypt)[3]:–Setup is a randomized algorithm which takes as input security parameter 1k and returns a master public key P K and a master secret key SK.The master public key includes the description of a set of admissible messages and ciphertexts M P K,C P K respectively,and a prime integer p.SK is kept secret by the trusted authority,while P K is publicly available and we consider it to be an implicit input to the rest of the algorithms.–KeyGen takes as input SK and an identity id∈Z∗p.It outputs a user secret key sk[id].–Encrypt takes as input an identity id∈Z∗p and M∈M P K.It returns a ciphertext C.–Decrypt takes as inputs a private key sk[id]and a ciphertext C,and it re-turns M∈M P K or the special symbol⊥indicating a decryption failure.In particular⊥is returned if C/∈C P K.These algorithms must satisfy a natural consistency constraint,namely that for any security parameter1k,identity id∈Z∗p and message M∈M P K it holds that M←Decrypt(sk[id],Encrypt(id,M))where sk[id]←KeyGen(SK,id)and (P K,SK)←Setup(1k).An IBE scheme can be obtained by combining an identity-based key en-capsulation mechanism(IB-KEM)and a symmetric encryption scheme[6,1]. The IB-KEM is run to produce a symmetric encryption key that is later used to encrypt a message with the given symmetric encryption scheme.Formally, an IB-KEM for identities id∈Z∗p is specified by four algorithms(KEM.Setup, KEM.KeyGen,KEM.Encap,KEM.Decap):–KEM.Setup is a randomized algorithm that takes as inputs a security pa-rameter1k and a positive integerκ.It works almost exactly as the Setup algorithm of an IBE scheme,except that no set of admissible plaintexts is output.The integerκdenotes the bit-length of the symmetric encryption keys output by the IB-KEM and is returned as part of P K.–KEM.KeyGen takes as input SK and an identity id∈Z∗p.It outputs a user secret key sk[id].–KEM.Encap takes as input an identity id∈Z∗p and outputs a symmetric key K∈{0,1}κand a ciphertext C.Chosen-Ciphertext Secure IBE from Computational Bilinear Diffie-Hellman369–KEM.Decap takes as inputs a private key sk[id]and a ciphertext C,and it returns K or the special symbol⊥indicating a decryption failure.In particular⊥is returned if C/∈C P K.Similarly to IBE,any IB-KEM must satisfy natural consistency constraints, namely that for any security parameter1k,integerκand identity id∈Z∗p it holds that K←KEM.Decap(sk[id],C)where(K,C)←KEM.Encap(id,M),sk[id]←KEM.KeyGen(SK,id)and(P K,SK)←KEM.Setup(1k,κ).Selective-identity chosen-ciphertext security.[3,1]Let us consider the fol-lowing game:Initialization.The adversary outputs a security parameter1k,a positive inte-gerκand an identity id it wants to attack.κmust be polynomially-bounded in k.Setup.The challenger runs(P K,SK)←KEM.Setup(1k,κ).The challenger sets (K ,C )←KEM.Encap(P K,id ).It picksβ$←{0,1}and sends C to the adversary,together with K ifβ=1or a fresh key K†$←{0,1}κifβ=0.It gives P K to the adversary and keeps SK to itself.Find.The adversary makes a polynomial number of queries of the following types:–User secret key.The adversary asks the challenger to run and deliver sk[id]←KEM.KeyGen(SK,id)for adversarial input id=id .–Decryption query.The adversary asks the challenger to output the result of KEM.Decap(sk[id],C)for adversarial input(id,C)=(id ,C ). Guess.The adversary outputs a guessβ ∈{0,1}.The advantage of such an adversary A is defined asAdv sID−CCAIBKEM,A (1k)=Pr[A(K ,C )=1]−Pr[A(K†,C )=1].Definition1.An identity-based key encapsulation mechanism IBKEM is secure under selective-identity and chosen-ciphertext attacks if for any IND-sID-CCA adversary A the function Adv IND−sID−CCAIBKEM,A(1k)is negligible.2.2Diffie-Hellman Assumptions on Pairing GroupsLet G1= g1 and G2= g2 be(cyclic)groups of order p prime.A map e:G1×G2→G3to a group G3is called a bilinear map,if it satisfies the following two properties:Bilinearity:e(g a1,g b2)=e(g1,g2)ab for all integers a,bNon-Degenerate:e(g1,g2)has order p in G3.We assume there exists an efficient bilinear pairing instance generator al-gorithm IG that on input a security parameter1k outputs the description of e,G1,G2,G3,g1,g2,p ,with p a k-bit length prime.370 D.GalindoDefinition 2(BDH assumption).Let e,G 1,G 2,G 3,p,g 1,g 2 ←IG (1k ).Let us define Z ← e,G 1,G 2,G 3,p,g 1,g 2,g a 1,g a 2,g b 1,g b 2,g c 1 where a,b,c $←Z p .We say that IG satisfies the Computational Bilinear Diffie-Hellman assumption ifAdv BDH IG ,A (k ):=Pr[A (Z )=e (g 1,g 2)abc ]is negligible in k .The probabilities are computed over the internal random coins of A ,IG and the random coins of the inputs.Our definition of bilinear pairings and BDH assumption encompasses all pairing-type categories arising from elliptic curves as classified by Galbraith,Paterson and Smart [8],and hence it is as general as possible.Definition 3(BDH hardcore predicate).Let e,G 1,G 2,G 3,p,g 1,g 2 ←IG (1k ).Let us define Z ← e,G 1,G 2,G 3,p,g 1,g 2,g a 1,g a 2,g b 1,g b 2,g c 1where a,b,c $←Z p .Let h :G 3→{0,1}be a function and considerAdv h IG ,A (k ):= Pr A Z ,h,h (e (g 1,g 2)abc ) =1 −Pr [A (Z ,h,β)=1] where β$←{0,1}.We say that h is a BDH hardcore predicate if the the BDH assumption for IG implies that Adv h IG ,A (k )is negligible.The probabilities are computed over the internal random coins of A ,IG and the random coins of the inputs.2.3Lagrange Interpolation Let f (x )= 0≤l ≤t b l x l be a polynomial over Z p with degree t and (x 0,f (x 0)),...,(x t ,f (x t )) be t +1distinct points where f (x )has been evaluated over Z ∗p .Then one can recover f (x )as f (x )=f (x 0)λx 0(x )+...+f (x 0)λx 0(x ),where λx j (x )∈Z p [x ]for 0≤l ≤t are called Lagrange coefficients and are defined asλx l (x )=(x −x 0)(x −x 1)···(x −x l −1)(x −x l +1)···(x −x t )(x l −x 0)(x l −x 1)···(x l −x l −1)(x l −x l +1)···(x j −x t ).It can be seen that given g 1,(g x 01,g f (x 0)1),...,(g x t 1,g f (x t )1) it is possible to com-pute any g b l 1for 0≤l ≤t thanks to the Lagrange coefficients,where G 1= g 1 has prime order p .Similarly,giveng 1,g b 01,...,g b j −11,(x 0,f (x 0)),...,(x t −j ,f (x t −j )) it is possible to reconstruct any g b l 1for j ≤l ≤t .These facts are used in our scheme and in its security reduction.Chosen-Ciphertext Secure IBE from Computational Bilinear Diffie-Hellman371 3Chosen-Ciphertext Secure IB-KEM from the BDH Assumption in the Standard ModelIn this section we describe a new IB-KEM which is obtained by extending the techniques that Hanaoka and Kurosawa[9]applied to ElGamal encryption scheme[7].The new IB-KEM is the result of applying these extended techniques to Boneh and Boyen’s identity-based encryption scheme[2]and it has security based on the Computational BDH assumption.We assume the existence of global pairing parameters e,G1,G2,G3,p,g1,g2 ←IG(1k)known to all the parties. Our IB-KEM is defined as follows:–KEM.Setup(1k,κ)chooses a,γ$←Z∗p and sets u0←g a1,v0←g a2,u−1←gγ1,v−1←gγ2.Next,it randomly picks b0,b1,...,bκ+2$←Z∗p and defines the polynomial f(x)=b0+b1x1+...+bκ+2xκ+2∈Z p[x].It computes y l=g b l1,Y l=e(u0,g b l2)for l=0,...,κ+2.It chooses a target collision resistant hash function TCR:G1×{0,1}→Z∗p,as well as a BDH hardcore predicate h:G3→{0,1}.It defines the functions H1:Z∗p→G1that maps id→u id0u−1and H2:Z∗p→G2that maps id→v id0v−1.Finally,let C P K be G41andP K← e,G1,G2,G3,p,g1,g2,u0,v0,u−1,v−1,y0,...,yκ+2,Y0,...,Yκ−1,H1 andSK← a,b0,...,bκ+2,H2 .–KEM.KeyGen(SK,id)outputs(sk0[id],...,skκ−1[id]),wheresk l[id]←g ab l2H2(id)r l,g r l2∈G22and r l$←Z∗p for0≤l≤κ−1–KEM.Encap(P K,id)computesC←g r1,g r·f(t)1,g r·f(t)1,H1(id)r∈G41,K←h(Y r0)||...||h(Y rκ−1)∈{0,1}κ,where t=TCR(g r1,0)and t=TCR(g r1,1).It outputs(K,C).–KEM.Decap takes as inputs a user key sk[id]=(sk0[id],...,skκ−1[id]),anda ciphertext C=(C0,C1,C2,C3).Itfirst checks if e(C0,g f(t)1)=e(g1,C1)and e(C0,g f(t)1)=e(g1,C2).If not it returns⊥.Otherwise it parses sk l[id]as(A l,B l)for l=0,...,κ−1and it returnsK←he(C0,A0)e(C3,B0)...he(C0,Aκ−1)e(C3,Bκ−1)372 D.GalindoThe above scheme is consistent since for a honestly generated ciphertext,we have e (C 0,A l )e (C 3,B l )=e g r 1,g ab l 2H 2(id )r l e H 1(id )r ,g r l 2 =e (g r 1,g ab l 2)·e g r 1,H 2(id )r l e H 1(id )r ,g r l 2 ==Y r l ·e g r 1,g r l (a ·id +γ)2 e g r (a ·id +γ)1,g r l 2=Y r l for l =0,...,κ−1Theorem 1.Let h be a BDH hardcore predicate and TCR be a target collision-resistant hash function.Then the above IB-KEM scheme is secure against selective-identity and chosen-ciphertext attacks if IG is an instance generator algorithm for which the Bilinear Diffie-Hellman assumption holds.Proof.An adversary starts by outputting a security parameter 1k ,a key length κand a target identity id ∈Z ∗p .Given a BDH instanceZ ← e,G 1,G 2,G 3,g 1,g 2,p,g a 1,g a 2,g b 1,g b 2,g c 1and a successful adversary A against the IND-sID-CCA security of our IB-KEM,we construct an algorithm B distinguishing h e (g 1,g 2)abc from random with non-negligible advantage.To do so we need to apply a hybrid argument that we explain next.Assume that for challenge ciphertext C = g c 1,g c ·f (t )1,g c ·f (t )1,H 1(id )c ,where t =TCR (g c 1,0)and t =TCR (g c 1,1),there exists an adversary A which distinguishes h (Y c 0)||...||h (Y c κ−1)from random (thus breaking the IB-KEM security).Then,there exists another adversary A that for some j such that 0≤j ≤κ−1distinguishes h (Y c 0)||...||h (Y c j )||rand κ−j −1from h (Y c 0)||...||h (Y c j −1)||rand κ−j ,where rand l denotes a l -bit uniformly random string.Therefore we can assume the existence of such an adversary A .We use itto constructan algorithm B that given (g 1,g 2,g a 1,g a 2,g b 1,g b 2,g c 1)distinguishes h e (g 1,g 2)abc from random.B is defined as follows:Generate system parameters.B starts by setting e,G 1,G 2,G 3,p,g 1,g 2 to be the global parameters of the system.It continues by simulating the master public key of the IB-KEM and the challenge encapsulation to A :1.It sets u 0←g a 1,v 0←g a 2and u −1←u −id 0g δ1,v −1←v −id 0g δ2for random δ$←Z ∗p .2.It sets t =TCR (g c 1,0)and t =TCR (g c 1,1).3.It sets y j ←g b 1∈G 1and z j ←g b 2∈G 2and picks randomrnd j ,...,rnd κ−1$←Z ∗p \{t ,t}Additionally it choosesu t ,u t ,b 0,...,b j −1,u j ,...,u κ−1$←Z ∗pChosen-Ciphertext Secure IBE from Computational Bilinear Diffie-Hellman3734.It sets y l =g b l 1∈G 1and z l =g b l 2∈G 2for 0≤l ≤j −1.5.By using Lagrange interpolation,it computes y j +1,...,y κ+2such that for a function F 1(x )= 0≤l ≤κ+2y x l l it holds that F 1(t )=g u t 1,F 1(t )=g u t 1,and F 1(rnd j )=g u j 1,...,F 1(rnd κ−1)=g u κ−11.6.By using Lagrange interpolation,it computes z j +1,...,z κ+2such that for a function F 2(x )= 0≤l ≤κ+2z x l l it holds that F 2(t )=g u t 2,F 2(t )=g u t 2,and F 2(rnd j )=g u j 2,...,F 2(rnd κ−1)=g u κ−12.7.It sets Y l =e (g a 1,z l )for l =0,...,κ−1.8.Let C P K be G 41.9.B sets the master public key to be P K ← e,G 1,G 2,G 3,p,g 1,g 2,u 0,v 0,u −1,v −1,y 0,...,y κ+2,Y 0,...,Y κ−1,H 1 ,the challenge ciphertextC ←(g c 1,(g c 1)u t ,(g c 1)u t ,(g c 1)δ)and the challenge keyK = h (e (g c 1,g a 2)b 0)||h (e (g c 1,g a 2)b 1)||...||h (e (g c 1,g a 2)b j −1)||β||rand k −j −1 ,where β$←{0,1}.Finally B initializes A with P K and (K ,C ).Notice that,because of the prop-erties of Lagrange interpolation,the distribution of the resulting master public key is statistically-close to the distribution of a honestly generated key.B answers the queries by A in the following way:Create user secret key queries.For a secret key query with id =id ,it com-putes sk l [id ]← z −δid −id l H 2(id )r l ,z −1id −id l g r l 2 ,where r l $←Z ∗p for l =0,...,κ−1.To see that this is a valid random user secret key,let us write z l =g b l 2for b l ∈Z ∗p and let s l =r l −b l /(id −id ).Notice that b l is unknown to B for j ≤l ≤κ+2,and thus s l is not defined explicitly but implicitly.It turns out thatz −δid −id l H 2(id )r l =g −δb l id −id2 g a (id −id )2g δ2 r l ==g ab l 2 g a (id −id )2g δ2 r l −−b l id −id =g ab l 2H 2(id )s l and z −1id −id l g r l 2=g sj 2.Decryption queries.For decryption queries of the form (id,C )for id =id ,it first checks whether C ∈C P K .If not,it answers ⊥.Otherwise it obtains sk [id ]by running the user key generation algorithm and returns KEM .Decap (sk [id ],C ).374 D.GalindoFor decryption queries (id ,C ),it parses C as (C 0,C 1,C 2,C 3)and it proceeds as follows:1.If C 0=g c 1it answers ⊥.2.If C 0=g c 1and the intersection{TCR (C 0,0),TCR (C 0,1)}∩{t ,t,rnd j ,...,rnd κ−1}is non-empty then B aborts and outputs a random bit β .3.If C 0=g c 1and the intersection{TCR (C 0,0),TCR (C 0,1)}∩{t ,t ,rnd j ,...,rnd κ−1}is empty,it first checks if e (C 0,g f (t )1)=e (g 1,C 1)and e (C 0,g f (t )1)=e (g 1,C 2),where t =TCR (C 0,0),t =TCR (C 0,1).If not B outputs ⊥indicating de-cryption failure.Otherwise B computes C u t 0,C u t 0,C u j 0,...,C u κ−10.Let f 1∈Z p [x ]be a polynomial of degree κ+2whose coefficients for the terms x l are b l for 0≤l ≤j −1.Additionally,f 1satisfies thatf 1(t ),f 1(t ),f 1(t ),f 1(t ),f 1(rnd j +1),...,f 1(rnd κ−1) = log C 0C 1,log C 0C 2,u t ,u t ,u j +1,...,u κ−1Next by using Lagrange interpolation it computes C b 1,l 0for j ≤l ≤κ−1,where b 1,l ∈Z p denote the coefficients of the x l term of the polynomial f 1respectively.Then it answers the decryption query (id,C )withh (e (C b 00,g a 2))||...||h (e (C b j −10,g a 2))||h (e (C b 1,j 0,g a 2))||...||h (e (C b 1,κ−10,g a 2)).Guess.At some point A outputs a guess β ∈{0,1}and B outputs the same guess for h (e (g 1,g 2)abc ).Success analysis of algorithm B .Let us define a series of events:–Win denotes the event that A correctly distinguishesh (Y c 0)||...||h (Y c j )||rand κ−j −1from h (Y c 0)||...||h (Y c j −1)||rand κ−j–Abort is the event that A makes a decryption query (id ,(C 0,C 1,C 2,C 3))such that C 0=g c 1and the intersection {TCR (C 0,0),TCR (C 0,1)}∩{t ,t ,rnd j ,...,rnd κ−1}is non-empty –Invalid denotes the event that A makes a decryption query of the form(id ,(C 0,C 1,C 2,C 3))such that e (C 0,g f (t )1)=e (g 1,C 1)and e (C 0,g f (t )1)=e (g 1,C 2)but B ’s decryption answer is incorrectThen,analogously to [9],B ’s advantage in distinguishing h (e (g 1,g 2)abc )from a random bit βis bounded as followsChosen-Ciphertext Secure IBE from Computational Bilinear Diffie-Hellman375Adv h IG,B(k)=PrBZ,h,h(e(g1,g2)abc)=1−Pr[B(Z,h,β)=1]≥Pr[Win|Abort∧Invalid]Pr[Abort∧Invalid]−1/2≥|Pr[Win]−Pr[Abort]−Pr[Invalid]|Lemmas3and4in[9]imply that the probabilities Pr[Abort]and Pr[Invalid]arenegligible.Finally Pr[Win]=1κ·Adv sID−CCAIBKEM,Adue to the hybrid argument.4ExtensionsThe IB-KEM presented in the last section admits several extensions.Identity-based encryption.Coupling our IB-KEM with a chosen ciphertext secure symmetric key encryption scheme yields an IBE scheme with IND-sID-CCA security based on the BDH assumption.The resulting IBE scheme is fairly efficient and has constant size ciphertexts.Identity-based encryption with adaptive-identity security.It is straight-forward to upgrade our IBE scheme to have adaptive-identity security by replac-ing the function H1(and H2accordingly)by the function used by Waters[12] to attain adaptive-identity security.Hierarchical identity-based encryption.Our modification to the IBE scheme by Boneh and Boyen can also be applied to the hierarchical IBE scheme pre-sented by the same authors in[2],and results in an hierarchical IBE scheme with IND-sID-CCA security based on the BDH assumption.For example,the resulting hierarchical IB-KEM scheme has a ciphertext for a -level hierarchical identity(id1,...,id )with the formg r1,g r·f(t)1,g r·f(t)1,H11(id)r,...,H 1(id)r∈G3+1,where H11,...,H 1are independent instances of the function H1and t= TCR(g r1,0),t=TCR(g r1,1).The key K←h(Y r0)||...||h(Y rκ−1)∈{0,1}κre-mains unchanged.References1.Bentahar,K.,Farshim,P.,Malone-Lee,J.,Smart,N.P.:Generic Constructions ofIdentity-Based and Certificateless KEMs.J.Cryptology21(2),178–199(2008) 2.Boneh,D.,Boyen,X.:Efficient Selective-ID Secure Identity Based EncryptionWithout Random Oracles.In:Cachin,C.,Camenisch,J.L.(eds.)EUROCRYPT 2004.LNCS,vol.3027,pp.223–238.Springer,Heidelberg(2004)3.Boneh,D.,Franklin,M.K.:Identity-Based Encryption From The Weil Pairing.In:Kilian,J.(ed.)CRYPTO2001.LNCS,vol.2139,pp.213–229.Springer,Heidelberg (2001)376 D.Galindo4.Cash,D.,Kiltz,E.,Shoup,V.:The Twin Diffie-Hellman Problem and Applications.In:Smart,N.P.(ed.)EUROCRYPT2008.LNCS,vol.4965,pp.127–145.Springer, Heidelberg(2008)5.Cramer,R.,Shoup,V.:A Practical Public Key Cryptosystem Provably SecureAgainst Adaptive Chosen Ciphertext Attack.In:Krawczyk,H.(ed.)CRYPTO 1998.LNCS,vol.1462,pp.13–25.Springer,Heidelberg(1998)6.Cramer,R.,Shoup,V.:Design and analysis of practical public-key encryptionschemes secure against adaptive chosen ciphertext attack.SIAM Journal of Com-puting33(1),167–226(2004)7.El Gamal,T.:A Public Key Cryptosystem and a Signature Scheme Based onDiscrete Logarithms.In:Blakely,G.R.,Chaum,D.(eds.)CRYPTO1984.LNCS, vol.196,pp.10–18.Springer,Heidelberg(1985)8.Galbraith,S.D.,Paterson,K.G.,Smart,N.P.:Pairings for cryptographers.DiscreteApplied Mathematics156(16),3113–3121(2008)9.Hanaoka,G.,Kurosawa,K.:Efficient Chosen Ciphertext Secure Public Key En-cryption under the Computational Diffie-Hellman Assumption.In:Pieprzyk,J.(ed.)ASIACRYPT2008.LNCS,vol.5350,pp.308–325.Springer,Heidelberg (2008)10.Haralambiev,K.,Jager,T.,Kiltz,E.,Shoup,V.:Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model.In: Nguyen,P.Q.,Pointcheval, D.(eds.)PKC2010.LNCS,vol.6056,pp.1–18.Springer,Heidelberg(2010)11.Shamir,A.:Identity-based cryptosystems and signature schemes.In:Blakely,G.R.,Chaum,D.(eds.)CRYPTO1984.LNCS,vol.196,pp.47–53.Springer,Heidelberg (1985)12.Waters, B.:Efficient Identity-Based Encryption Without Random Oracles.In:Cramer,R.(ed.)EUROCRYPT2005.LNCS,vol.3494,pp.114–127.Springer, Heidelberg(2005)。