No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Certificateless public key encryption: A new generic construction and two pairing-free schemes
Abstract
The certificateless encryption (CLE) scheme proposed by Baek, Safavi-Naini and Susilo is computation-friendly since it does not require any pairing operation. Unfortunately, an error was later discovered in their security proof and so far the provable security of the scheme remains unknown. Recently, Fiore, Gennaro and Smart showed a generic way (referred to as the FGS transformation) to transform identity-based key agreement protocols to certificateless key encapsulation mechanisms (CL-KEMs). As a typical example, they showed that the pairing-free CL-KEM underlying Baek et al.’s CLE can be “generated” by applying their transformation to the Fiore–Gennaro (FG) identity-based key agreement (IB-KA) protocol.In this paper, we show that directly applying the Fiore–Gennaro–Smart (FGS) transformation to the original FG IB-KA protocol in fact results in an insecure CL-KEM scheme against strong adversaries, we also give a way to fix the problem without adding any computational cost. The reason behind our attack is that the FGS transformation requires the underlying IB-KA protocol to be secure in a model that is stronger than the conventional security models where existing IB-KA protocols are proved secure, and the FG IB-KA protocol is in fact insecure in the new model. This motivates us to construct a new generic transformation from IB-KA protocols to CLE schemes. In the paper we present such a transformation which only requires the underlying IB-KA protocol to be secure in a security model that is weaker than the existing security models for IB-KA protocols. We illustrate our transformation by generating a new pairing-free CLE scheme that is obtained by directly applying our transformation to the original FG IB-KA protocol.
... Since the computational ability, memory and battery capacity of mobile devices are often very limited, the traditional PKC-based authentication schemes are unsuitable for applications where mobile devices are used. Compared with traditional PKC, ID-based cryptography (IBC) exploits an entity's ID or email address as her public key and thus completely eliminates the expensive management cost of public key certificates, which is particularly desirable in mobile environments [12]. In addition, IBC is often implemented by an elliptic curve to offer better performance, because computation in an elliptic curve can achieve the same security strength by using a much smaller key size as compared to that of the finite field. ...
... Thus, only using BNN-IBS is not sufficient for achieving user privacy, and ID-based encryption (IBE) schemes shall be additionally used. Fortunately, a number of pairing-free IBE schemes (e.g., [12], [40]) have recently been developed, and they can be readily adopted to construct privacy-preserving authentication schemes which provide robust security and strong user anonymity. ...
... This means that if A obtains ID M U and a·P , she can definitely determine V ′ by offline guessing P W M U . On the other hand, some randomness would be introduced if V ′ is concealed by using some IND-CCA2 secure public-key encryption algorithm (e.g., [12], [40]) like the schemes in [37], [42], and this may inevitably lose some efficiency. ...
Providing secure, efficient and privacy-preserving user authentication in mobile networks is a challenging problem due to the inherent mobility of users, variety of attack vectors and resource-constrained nature of user devices. Recent studies show that identity-based cryptosystems can eliminate the certificate overhead and thus address the issues associated with public key infrastructure (PKI) technology—which is a rare bit of good news
in today’s computer security world.
In this work, we employ three representative identity-based remote user authentication schemes(i.e., Truong et al.’s scheme, Li et al.’s scheme and Zhang et al.’s scheme) as case studies to reveal the challenges and subtleties in designing a practical authentication scheme for mobile devices.First, we demonstrate that Truong et al.’s scheme, which was presented at AINA’12, cannot achieve a few important security goals under our new attacking scenarios: (1) it still fails to resist against known session-specific temporary information attack; (2)
it cannot withstand key compromise impersonation attack; (3) it is of poor usability. Second, we show that Li et al.’s privacypreserving scheme, which was proposed at GLOBECOM’12, is subject to some subtle (yet severe) efficiency problems that make it virtually impossible for any practical use. Third, we scrutinize
a “provably secure” scheme for roaming services in mobile networks designed by Zhang et al. at SCN’15, and find it prone to collusion attack and replay attack. Further, we investigate into the underlying causes for these identified failures and figure out an improvement over Truong et al.’s scheme to overcome the revealed challenges while maintaining reasonable efficiency.
... Since groundbreaking work of Al- Riyami and Paterson (2003), many certificateless encryption (CLE) schemes (Sun and Zhang 2010) (Yang and Tan 2011), certificateless signature (CLS) schemes (Tian and Huang 2012) (Tsai et al. 2012) (Gong and Li 2012) (He et al. 2012c, 2013a and certificateless key agreement schemes (HE et al. 2011c(HE et al. , 2012a have been proposed for applications in CLPKC setting. Several certificatless blind signature (CLBS) schemes (Zhang and Zhang 2008) (Wang and Lu 2008) (Yang et al. 2009) (Sun and Wen 2009) (Zhang and Gao 2010) (Zhang et al. 2011) also were proposed. ...
Recentemente, a criptografia de chave pública sem certificado
(CLPKC) tem sido amplamente estudada, uma vez que poderia resolver o
problema de gerenciamento de certificados na criptografia de chave pública
tradicional (TPKC) e o problema chave de escrow da criptografia de
chave pública baseada em identidade (ID-based PKC). Para atender aos
requisitos de diferentes aplicações, têm sido propostos muitos
sistemas de assinatura cega sem certificado (CLBs), sistemas que
utilizam o emparelhamento bilinear para a configuração de CLPKC. No
entanto, a operação de emparelhamento bilinear é muito
complicada. Portanto, o desempenho desses regimes CLBs não é muito
satisfatório. Para resolver o problema, propomos um esquema de CLBS eficiente
sem emparelhamento bilinear. Uma análise de desempenho mostra que o esquema
proposto poderia reduzir os custos de computação e armazenamento. Uma
análise de segurança mostra que o esquema proposto é comprovadamente
seguro contra dois tipos de adversários.
Certificateless public-key systems (CL-PKS) were introduced to simultaneously solve two critical problems in public-key systems. One is the key escrow problem in ID-based public-key systems and the other is to eliminate the presence of certificates in conventional public-key systems. In the last decade, several certificateless signature (CLS) schemes have been proposed in the random oracle model. These CLS schemes possess existential unforgeability against adaptive chosen-message attacks, and only few of them possess strong unforgeability. A CLS scheme with strong unforgeability plays an important role in the construction of certificateless cryptographic schemes. Unfortunately, all the existing CLS schemes in the standard model (without random oracles) have been shown insecure to provide existential unforgeability under a generally adopted security model. In the article, we propose a strongly secure CLS scheme in the standard model under the generally adopted security model. Our scheme possesses not only existential unforgeability but also strong unforgeability, and turns out to be the first strongly secure CLS scheme in the standard model. Under the collision resistant hash (CRH) and computational Diffie-Hellman (CDH) assumptions, we prove that our CLS scheme possesses strong unforgeability against both Type I (outsiders) and Type 11 (key generation center) adversaries.
To protect receiver privacy, researchers constructed anonymous multireceiver encryption by implanting anonymity in multireceiver encryption. It allows a sender to produce the identical ciphertext for multiple designated receivers. Every designated receiver can decrypt the ciphertext, but does not know who the other designated receivers are. Recently, several anonymous multireceiver identity (ID)-based encryption (AMIBE) schemes were proposed without the utilization of certificates. However, these AMIBE schemes are not efficient because their decryption cost of each receiver grows linearly with the number of the designated receivers. Moreover, all the ID-based cryptographic schemes suffer from the key escrow problem, which has been resolved by using certificateless public key settings. Very recently, Islam et al. proposed an anonymous multireceiver certificateless encryption (AMCLE) scheme. However, the encryption cost of a sender is quadric with the number of designated receivers, whereas the decryption cost of each receiver is linear with the number. In this paper, we propose an efficient AMCLE scheme with constant decryption cost, namely, the required decryption cost of each receiver is independent of the number of receivers. When compared with previously proposed AMIBE and AMCLE schemes, our scheme solves the key escrow problem and improves the efficiency of encryption/decryption significantly as well.
In cryptography, security models play important roles to define the security with potential attacks. Following the security models, a scheme is analysed to be secure or insecure against those considered attacks. However, certificateless signatures (CLSs) are well-known notions to solve the key escrow problem of identity-based signatures, but the adversaries’ attack power is not well defined. In typical CLS setting, the full private key is composed of two parts that are respectively generated by two different parties, and therefore, the security models will be more complicate than other systems. In general, there are two types of adversaries in CLS, and further can be extended into many security levels due to attack power. In this paper, a comprehensive study focuses on the security models of CLSs. We not only consider two security issues, public key replacement, and strong unforgeability, but also revisit all feasible and potential adversaries’ abilities. According to the research results, we show the generalization of security models which consists of all cases of the adversaries. Finally, we give a security comparison with literature works.
The concept of a certificateless public-key system (CL-PKS) was first introduced by Al-Riyami and Paterson. The CL-PKS not only solves the key escrow problem but also retains the merit of eliminating the required certificates in the identity-based PKS. Up to now, there was little work on studying the revocation problem in existing CL-PKS constructions. In this paper, we address the revocation problem and propose the first revocable certificateless public-key encryption (RCL-PKE). We define the new syntax and security notions of the RCL-PKE and propose a concrete RCL-PKE scheme. Compared with the previously proposed CL-PKE schemes, the proposed RCL-PKE scheme retains efficiency for encryption and decryption procedures while providing an efficient revocation alternative using a public channel. Under the computational and the bilinear Diffie–Hellman assumptions, we demonstrate that our RCL-PKE scheme is semantically secure against adaptive chosen-ciphertext attacks.
To satisfy the requirement of practical applications, many certificateless encryption schemes (CLE) without pairing have been proposed. Recently, Lai et al. proposed a CLE scheme without pairing and demonstrated that their scheme is provably secure in the random oracle model. The analysis shows that their scheme has better performance than the related schemes. However, Lai et al.'s scheme is not a standard CLE scheme since the user's public key is used when generating his partial private key. In this study, the authors propose a new CLE scheme. Compared with Lai et al.'s scheme, the authors' scheme is a standard CLE scheme at the cost of increasing the computational cost slightly. Besides, their scheme has better performance than the related schemes except Lai et al.'s scheme. They also show their scheme is provably secure in the random oracle model.
The smart grid is a network of computers and power infrastructures that monitor and manage energy usage and uses intelligent transmission and distribution networks to deliver electricity for improving the electric system's reliability and efficiency. With grid controls, energy transmission management could be enhanced and resilience to control-system failures would be increased. Processing chips and storage units have been embedded into traditional electricity meters, so that they are capable of performing smart functions, called smart meters. Then, smart meters communicate with electrical appliances at home as well as the generation and management facilities at the power companies. Although deploying the smart grid has numerous social and technical benefits, several security and privacy concerns arise. Attackers might compromise smart meters, eavesdrop the communication, or hack into the power company's database, to access power consumption data of the victim, from which they learn about the victim's daily activities. Recently, various security and privacy vulnerabilities and threats have been studied in the research literature, however, most of the problems remain yet to be addressed. Therefore, it is crucial to design secure smart grid communication protocols that could prevent all possible security vulnerabilities. In this paper, we propose an anonymous authentication protocol for securing communication among various smart meters of the smart grid. The proposed protocol can achieve key agreement between smart meters and fully protect user privacy with low computation overhead. In addition, the analysis shows that the proposed protocol can satisfy the desirable security requirements and resist several notorious attacks.
It would be interesting if a signcryption scheme in the standard model could be made certificateless. One of the interesting attempts is due to Liu et al. [Z. Liu, Y. Hu, X. Zhang, H. Ma, Certificateless signcryption scheme in the standard model, Information Sciences 180 (3) (2010) 452–464]. In this paper, we provide a cryptanalysis on this scheme by depicting two kinds of subtle public key replacement attacks against it. Our analysis reveals that it does not meet the basic requirements of confidentiality and non-repudiation.
We extend the concept of key encapsulation to the primitives of identity-based and certificateless encryption. We show that
the natural combination of ID-KEMs or CL-KEMs with data encapsulation mechanisms results in encryption schemes that are secure
in a strong sense. In addition, we give generic constructions of ID-KEMs and CL-KEMs that are provably secure in the random
oracle model.
We discuss the relationship between ID-based key agree- ment protocols, certicateless encryption and ID-based key encapsula- tion mechanisms. In particular we show how in some sense ID-based key agreement is a primitive from which all others can be derived. In doing so we focus on distinctions between what we term pure ID-based schemes and non-pure schemes, in various security models. We present security models for ID-based key agreement which do not \look natural" when considered as analogues of normal key agreement schemes, but which look more natural when considered in terms of the models used in cer- ticateless encryption. We illustrate our models and constructions with two running examples, one pairing based and one non-pairing based. Our work highlights distinctions between the two approaches to certicateless encryption, and adds to the debate about what is the \correct" security model for certicateless encryption.
This paper presents the first constructions for certificateless encryption (CLE) schemes that are provably secure against strong adversaries in the standard model. It includes both a generic construction for a strongly secure CLE scheme from any passively secure scheme as well as a concrete construction based on the Waters identity-based encryption scheme.
Certificateless cryptography (CL-PKC) is a concept that aims at enjoying the advantages of identity based cryptography without suf- fering from its inherent key escrow. Several methods were recently sug- gested to generically construct a certificateless encryption (CLE) scheme by combining identity based schemes with ordinary public key cryptosys- tems. Whilst the security of one of these generic compositions was proved in a relaxed security model, we show that all them are insecure against chosen-ciphertext attacks in the strongest model of Al-Riyami and Pa- terson. We show how to easily fix these problems and give a method to achieve generic CLE constructions which are provably CCA-secure in the random oracle model. We finally propose a new efficient pairing- based scheme that performs better than previous proposals without pre- computation. We also prove its security in the random oracle model.
Certiflcateless Public Key Cryptography" has very appeal- ing features, namely it does not require any public key certiflcation (cf. traditional Public Key Cryptography) nor having key escrow problem (cf. Identity-Based Cryptography). Unfortunately, construction of Cer- tiflcateless Public Key Encryption (CLPKE) schemes has so far depended on the use of Identity-Based Encryption, which results in the bilinear pairing-based schemes that need costly operations. In this paper, we consider a relaxation of the original model of CLPKE and propose a new CLPKE scheme that does not depend on the bilinear pairings. We prove that in the random oracle model, our scheme meets the strong security requirements of the new model of CLPKE such as security against public key replacement attack and chosen ciphertext attack, assuming that the standard Computational Di-e-Hellman problem is intractable.
We propose the first generic construction of certificateless key encapsulation mechanism (CL-KEM) in the standard model, which is also secure against malicious-but-passive KGC attacks. It is based on an ID-based KEM, a public key encryption and a message authentication code. The high eciency of our construction is due to the ecient implementations of these underlying building blocks, and is comparable to Bentahar et al.'s CL-KEMs, which are only proven secure under the random oracle model with no consideration of the malicious-but-passive KGC attacks. The second contribution of our work is that we introduce the notion of certificateless tag-based KEM (CL-TKEM), which is an extension of Abe et al.'s work in the certificateless setting. We show that an ecient CL-TKEM can be constructed by modifying our CL-KEM. We also show that with a CL-TKEM and a data encapsulation mechanism (DEM) secure under our proposed notions, an ecient hybrid certificateless encryption can be constructed by applying Abe et al.'s transformation in the certificateless setting.
Despite the large number of certicateless encryption schemes recently proposed, many of them have been found to be insecure under a practical attack called malicious-but-passive KGC attack, since they all follow the same key generation procedure as that of the one proposed by Al-Riyami and Paterson in ASIACRYPT 2003. The only scheme that remains secure against this attack is due to Libert and Quisquater (PKC 2006). However, the security can only be shown in the random oracle model. In this paper, we rst show that a scheme which has a dierent key generation procedure from that of Al-Riyami and Paterson also suers from the malicious-but-passive KGC attack. Our attacking techniques are dierent and may cause greater extent of damage than the previous ones. We also propose a generic construction of certicateless encryption which can be proven secure against this attack in the standard model. This generic scheme not only is the rst one proven secure in the standard model, but is also very ecient to instantiate. We also describe how to use short signature and hybrid encryption to construct highly ecient instantiations of this generic scheme.
This thesis introduces the concept of certificateless public key cryptography (CLPKC). Elliptic curve pairings are then used to make concrete CL-PKC schemes and are also used to make other efficient key agreement protocols. CL-PKC can be viewed as a model for the use of public key cryptography that is intermediate between traditional certificated PKC and ID-PKC. This is because, in contrast to traditional public key cryptographic systems, CL-PKC does not require the use of certificates to guarantee the authenticity of public keys. It does rely on the use of a trusted authority (TA) who is in possession of a master key. In this respect, CL-PKC is similar to identity-based public key cryptography (ID-PKC). On the other hand, CL-PKC does not suffer from the key escrow property that is inherent in ID-PKC. Applications for the new infrastructure are discussed. We exemplify how CL-PKC schemes can be constructed by constructing several certificateless public key encryption schemes and modifying other existing ID based schemes. The lack of certificates and the desire to prove the schemes secure in the presence of an adversary who has access to the master key or has the ability to replace public keys, requires the careful development of new security models. We prove that some of our schemes are secure, provided that the Bilinear Diffie-Hellman Problem is hard. We then examine Joux’s protocol, which is a one round, tripartite key agreement protocol that is more bandwidth-efficient than any previous three-party key agreement protocol, however, Joux’s protocol is insecure, suffering from a simple man-in-the-middle attack. We show how to make Joux’s protocol secure, presenting several tripartite, authenticated key agreement protocols that still require only one round of communication. The security properties of the new protocols are studied. Applications for the protocols are also discussed.
This paper introduces and makes concrete the concept of certificateless public key cryptography (CL-PKC), a model for the use of public key cryptography which avoids the inherent escrow of identity-based cryptography and yet which does not require certificates to guarantee the authenticity of public keys. The lack of certificates and the presence of an adversary who has access to a master key necessitates the careful development of a new security model. We focus on certificateless public key encryption (CL-PKE), showing that a concrete pairing-based CL-PKE scheme is secure provided that an underlying problem closely related to the Bilinear Diffie-Hellman Problem is hard.
This paper shows a generic and simple conversion from weak asymmetric and symmetric encryption schemes into an asymmetric encryption scheme which is secure in a very strong sense -- indistinguishability against adaptive chosen-ciphertext attacks in the random oracle model. In particular, this conversion can be applied effciently to an asymmetric encryption scheme that provides a large enough coin space and, for every message, many enough variants of the encryption, like the ElGamal encryption scheme.
We consider one-round key exchange protocols secure in the standard model. The security analysis uses the powerful security
model of Canetti and Krawczyk and a natural extension of it to the ID-based setting. It is shown how KEMs can be used in a
generic way to obtain two different protocol designs with progressively stronger security guarantees. A detailed analysis
of the performance of the protocols is included; surprisingly, when instantiated with specific KEM constructions, the resulting
protocols are competitive with the best previous schemes that have proofs only in the random oracle model.
This paper presents a new identity based key agreement protocol. In id-based cryptography (introduced by Adi Shamir in [29]) each party uses its own identity as public key and receives his secret key from a master Key Generation Center, whose public parameters are publicly known.
The novelty of our protocol is that it can be implemented over any cyclic group of prime order, where the Diffie-Hellman problem is supposed to be hard. It does not require the computation of expensive bilinear maps, or additional assumptions such as factoring or RSA.
The protocol is extremely efficient, requiring only twice the amount of bandwith and computation of the unauthenticated basic Diffie-Hellman protocol. The design of our protocol was inspired by MQV (the most efficient authenticated Diffie-Hellman based protocol in the public-key model) and indeed its performance is competitive with respect to MQV (especially when one includes the transmission and verification of certificates in the MQV protocol, which are not required in an id-based scheme). Our protocol requires a single round of communication in which each party sends only 2 group elements: a very short message, especially when the protocol is implemented over elliptic curves.
We provide a full proof of security in the Canetti-Krawczyk security model for key exchange, including a proof that our protocol satisfies additional security properties such as forward secrecy, and resistance to reflection and key-compromise impersonation attacks.
In this paper we introduce a novel type of cryptographic scheme, which enables any pair of users to communicate securely and
to verify each other’s signatures without exchanging private or public keys, without keeping key directories, and without
using the services of a third party. The scheme assumes the existence of trusted key generation centers, whose sole purpose
is to give each user a personalized smart card when he first joins the network. The information embedded in this card enables
the user to sign and encrypt the messages he sends and to decrypt and verify the messages he receives in a totally independent
way, regardless of the identity of the other party. Previously issued cards do not have to be updated when new users join
the network, and the various centers do not have to coordinate their activities or even to keep a user list. The centers can
be closed after all the cards are issued, and the network can continue to function in a completely decentralized way for an
indefinite period.
Certificateless Public Key Cryptography (CLPKC) enjoys the advantage of ID-based public key cryptography without suffering from the key escrow problem. In 2005,
Baek et al. proposed the first certificateless encryption (CLPKE) scheme that does not depend on pairing. Although it provides
high efficiency, one drawback of their scheme is that the security proof only holds for a weaker security model in which the
Type I adversary is not allowed to replace the public key associated with the challenge identity. In this paper, we eliminate
this limitation and construct a strongly secure CLPKE scheme without pairing. We prove that the proposed scheme is secure
against adaptive chosen-ciphertext attack in the random oracle model, provided that the Computational Diffie-Hellman problem
is intractable.
We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four different notions of security against chosen plaintext attack and analyze the concrete complexity of reductions among them, providing both upper and lower bounds, and obtaining tight relations. In this way we classify notions (even though polynomially reducible to each other) as stronger or weaker in terms of concrete security. Next we provide concrete security analyses of methods to encrypt using a block cipher, including the most popular encryption method, CBC. We establish tight bounds (meaning matching upper bounds and attacks) on the success of adversaries as a function of their resources
This paper shows a generic and simple conversion from weak asymmetric and symmetric encryption schemes into an asymmetric encryption scheme which is secure in a very strong sense - indistinguishability against adaptive chosen-ciphertext attacks in the random oracle model. In particular, this conversion can be applied efficiently to an asymmetric encryption scheme that provides a large enough coin space and, for every message, many enough variants of the encryption, like the ElGamal encryption...
The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most efficient of all known authenticated Diffie-Hellman protocols that use public-key authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying “the next generation cryptography to protect US government information”. One question that has not been settled so far is whether the protocol can be proven secure in a rigorous model of key-exchange security. In order to provide an answer to this question we analyze the MQV protocol in the Canetti-Krawczyk model of key exchange. Unfortunately, we show that MQV fails to a variety of attacks in this model that invalidate its basic security as well as many of its stated security goals. On the basis of these findings, we present HMQV, a carefully designed variant of MQV, that provides the same superb performance and functionality of the original protocol but for which all the MQV’s security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption. We base the design and proof of HMQV on a new form of “challenge-response signatures”, derived from the Schnorr identification scheme, that have the property that both the challenger and signer can compute the same signature; the former by having chosen the challenge and the latter by knowing the private signature key.
A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption with the capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of "revoked" users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a "pirate decoder", the center can trace at least one of the "traitors" given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., (19, 21)) only achieves a very weak form of non-adaptive security even against chosen plaintext attacks. In fact, no CCA2 scheme was known even in the symmetric setting. Of independent interest, we present a slightly simpler construction that shows a "natural separation" between the classical notion of CCA2 security and the recently proposed (20, 1) relaxed notion of gCCA2 security.
On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication-by - ℓ map [ℓ] has degree ℓ 2 , therefore the complexity to directly evaluate [ℓ](P) is O(ℓ 2 ). For a small prime ℓ(=2,3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curve admits an isogeny φ of degree ℓ then the costs of computing φ(P) should in contrast be O(ℓ) field operations. Since we then have a product expression [ℓ]=φ ^φ, the existence of an ℓ-isogeny φ on an elliptic curve yields a theoretical improvement from O(ℓ 2 ) to O(ℓ) field operations for the evaluation of [ℓ](P) by naïve application of the defining polynomials. In this work we investigate actual improvements for small ℓ of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [ℓ]=φ ^φ, and provide explicit examples of such a family of curves with simple decomposition for [E. Brier, M. Joye, in: Applied algebra, algebraic algorithms and error-correcting codes. 15th international symposium, AAECC-15, Toulouse, France, May 12-16, 2003. Proceedings. Berlin: Springer. Lect. Notes Comput. Sci. 2643, 43–50 (2003; Zbl 1030.11027)]. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to non-adjacent forms for ℓ-adic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.
Certificateless public key cryptography was introduced to solve the key escrow problem in identity based cryptography while enjoy- ing the most attractive certificateless property. In this paper, we present the first secure certificateless public key encryption (CLPKE) scheme without redundancy. Our construction provides optimal bandwidth and quite ecient decryption process compared with the existing CLPKE schemes. It is provably secure against adaptive chosen ciphertext attacks in the random oracle model under a slightly stronger assumption.
Certificateless cryptography solves the key escrow problem that is inherent in the ID-based in the identity-based cryptography. In PKC 2008, Dent et al. proposed a certificateless encryption schemes strongly secure in the standard model. They claimed that their CLE encryption scheme is provably strongly secure against a strong type I adversary and type II adversary. In this paper, we show that their certificateless encryption scheme is completely insecure and the claim of provable security is seriously incorrect by a type I adversary who can replace users' public keys and access to the encrypting oracle under the replaced public keys.
This paper surveys the literature on certificateless encryption schemes. In particular, we examine the large number of security
models that have been proposed to prove the security of certificateless encryption schemes and propose a new nomenclature
for these models. This allows us to “rank” the notions of security for a certificateless encryption scheme against an outside
attacker and a passive key generation centre, and we suggest which of these notions should be regarded as the “correct” model
for a secure certificateless encryption scheme. We also examine the security models that aim to provide security against an
actively malicious key generation centre and against an outside attacker who attempts to deceive a legitimate sender into
using an incorrect public key (with the intention to deny the legitimate receiver that ability to decrypt the ciphertext).
We note that the existing malicious key generation centre model fails to capture realistic attacks that a malicious key generation
centre might make and propose a new model. Lastly, we survey the existing certificateless encryption schemes and compare their
security proofs. We show that few schemes provide the “correct” notion of security without appealing to the random oracle
model. The few schemes that do provide sufficient security guarantees are comparatively inefficient. Hence, we conclude that
more research is needed before certificateless encryption schemes can be thought to be a practical technology.
The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional Diffie-Hellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational Diffie-Hellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional Diffie-Hellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational Diffie-Hellman assumption is true by providing a proof of security in the random oracle model.
SetPrivateKey: the same as in the FGS transformation
- Cle Setup
- Cle Extractpartialkey
- Cle Setsecretvalue
- Cle Setpublickey
-CLE.Setup, CLE.ExtractPartialKey, CLE.SetSecretValue, CLE.SetPublicKey, CLE.SetPrivateKey: the same as in the
FGS transformation.
c): 1. parse c into (C 1 , C 2 )
- – Cle
- Dec
– CLE.Dec(mpk, sk ID = (D ID, S ID ), c):
1. parse c into (C 1, C 2 );
2. compute K ← Derive I (mpk, D ID, S ID, C 1 );
3. compute m‖δ ← DE M.Dec(K, C 2 );
4. compute r
Identity-based cryptosystems and signature schemes
- Adi Shamir
Adi Shamir, Identity-based cryptosystems and signature schemes, in: CRYPTO 1984, pp. 47–53.