(3.231.166.56) 您好!臺灣時間:2021/03/08 11:29
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:鄭錦楸
研究生(外文):Jiin-Chiou Cheng
論文名稱:基於雙線性配對之密碼協定的研究
論文名稱(外文):Cryptographic Protocols Based on Bilinear Pairing
指導教授:賴溪松賴溪松引用關係
指導教授(外文):Chi-Sung Laih
學位類別:博士
校院名稱:國立成功大學
系所名稱:電機工程學系碩博士班
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
語文別:英文
論文頁數:85
中文關鍵詞:向前安全計量系統可驗證之秘密分享再加密橢圓曲線雙線性配對錯誤檢查會議金鑰協議
外文關鍵詞:Re-encryptionMetering schemeVerifiable secret shadowForward securityBilinear pairingElliptic curveFault-toleranceConference key agreement
相關次數:
  • 被引用被引用:0
  • 點閱點閱:324
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:51
  • 收藏至我的研究室書目清單書目收藏:0
自從Koblitz與Miller於1985分別提出以橢圓曲線之離散對數來架構密碼系統後,由於橢圓曲線密碼系統具有較短金鑰長度的優勢,因此很適合在一些資源有限的行動裝置上,進行加解密或簽章驗證的工作。不過,Menezes,Okamoto及Vanstone三位學者在1993年藉由數學分析工具Weil pairing卻發現,使用某些特定的橢圓曲線所設計的密碼系統是不安全的,此即所謂的MOV攻擊。但是也由於這項發現,造就了後來蓬勃發展的Pairing-based cryptosystem。
在Pairing-based cryptosystem中,pairing計算是很耗時的,一般常用的Pairing有Weil Pairing與Tate Pairing這兩種,其中Weil Pairing的計算量是Tate Pairing的兩倍。另外,如果選擇了某些特定的橢圓曲線,也可以加快Pairing的計算。在本論文中,採用的橢圓曲線為Weierstrass equation E(Fp): y²=x³+1,其中要求質數p=2 mod 3且p=6q-1,而q是比3大的某大質數,這樣的曲線選擇有助於提升Pairing的計算速度。
由於Pairing具備了以下三個誘人的特性:(1) Bilinearity (2) Non-degeneracy (3) Commutativity,因此,過去許多難以設計的應用協定,當改用Pairing來設計,經常可以獲得意想不到的結果,這都要歸功於Pairing的這三個特性使然,而這也使得Pairing-Based的密碼系統更受到大家的注意。
本論文先就Pairing-based cryptosystem,提出兩種常用的作法,即ID-based Cryptosystem與Certificate-based Cryptosystem,詳述這兩系統在加解密與數位簽章驗證上的技巧,這些技巧有助於後續發展複雜應用協定時,提供參考之用。
接著,我們提出植基於Pairing的三個應用協定:
(一). Conference key agreement protocol:此協定主要著重在建立會議金鑰時,避免遭受會議參與者的惡意攻擊,延遲會議金鑰的建立,進而導致會議無法按預期時間進行。本協定使用了橢圓曲線上的一個技巧,可以檢視參與者送出的參與金鑰合成之訊息是否帶有惡意,這項檢視不需要任何參與者的interaction。比較先前的文獻,我們所提的協定的計算量約略等於先前文獻,但是我們的協定卻可在不需要interaction下達到抵擋惡意攻擊的目的。
(二). Metering scheme:此協定主要設計一個計量Scheme,此Scheme可用於入口網站之訪客數計數,入口網站藉由訪客數,可對刊登廣告的業者要求適當的費用。計數的客觀與正確性是我們的述求,另外為求方便性,本Scheme中的visitor可隨時間的推演,進行自我更新secret shadow的行為。
(三). Proxy re-encryption scheme:此類scheme主要是透過Proxy,進行解密能力的授權。本scheme改進了Ateniese et al. 所提出的scheme,原來該scheme的設計是要求有兩種不同的加密方法—可再加密與不可再加密兩種密文格式,以應付不同的狀況。而我們提出只需要一種密文格式,即可應付所需的情境。另外我們的scheme滿足了Ateniese et al. 所提出的九個requirements,而這些requirements並沒有完全被Ateniese et al. 所提的scheme所滿足。
上述三個協定實現了用傳統方式難以做到的應用,亦即用基於解離散對數與分解因數的兩難問題,並不容易實現上述的三個應用。另外使用bilinear pairing所設計的系統,在安全性與計算量這兩方面,與用傳統方式設計的系統差距不大,因此,Pairing-based cryptosystem是很值得繼續深入研究的。
Koblitz and Miller had suggested a cryptosystem based on discrete logarithm over a elliptic curve (ECDL) individually since 1985. From that, numerous applications about signature and encryption based on ECDL have been raised. Cryptography over ECDL possesses the advantage of shorter length key on the same level of security while compared with ElGamal and RSA. Therefore, these applications based on ECDL are suitable for mobile devices with less system resource. In 1993, however, Menezes, Okamoto, and Vanstone utilized the mapping of Weil pairing to analyze ECDL and found out that some cryptosystems created from specific supersingular elliptic curve are insecure, which is named as MOV attack. But, due to the discovery of the insecurity, the vigorous developments of pairing-based cryptosystem have been brought about.
The computation of pairing in pairing-based cryptosystem is consuming. There are two kinds of pairings – Weil pairing and Tate pairing. The amount of computation of a Tate pairing is half of that of a Weil pairing. The appropriate selection of specific elliptic curve also improves the performance of the computation of pairing. In this dissertation we adopt the Weierstrass equation as our elliptic curve E(Fp): y²=x³+1, where the prime p=2 mod 3 and p=6q-1 for some large prime q.
Pairing is equipped with three attractive features: (i) bilinearity (ii) non-degeneracy (iii) commutativity. The protocols which are hard to be constructed in the past can easily be built now with the help of the mapping of pairing. The attainments are attributed to the three features of pairing. Therefore, cryptosystems based on pairing are becoming more and more inspiring.
In this dissertation we first raise two cryptosystem based on bilinear pairing -- ID-based cryptosystem and Certificate-based cryptosystem, which are usually seen among many applications. To be familiar with the techniques applied in these cryptosystem will be helpful to design more complicated protocol for us.
Next, we propose three application protocols based on bilinear pairing:
(1) Conference key agreement protocol: The protocol is to emphasize to resist against the malicious attack from the participating conferee. Such malicious attack may is raised by means of the improper message contributed by the conferee at the initial setup phase. The attack will influence the establishment of conference key and then the start of the conference. The protocol suggests a skill over elliptic curve to verify the message coming from the participating conferee at the initial setup phase without any interaction between the conferees. Compared with the past literature, our protocol is superior to other protocols on the consideration of the existence of malicious conferee.
(2) Metering scheme: The main goal of the protocol is to count the amount of the visitors calling on some portal website. According the amount of the visitors, the portal website may ask the advertising agency to pay the distinct advertisement fee. Our ambition is to achieve the validity and fairness of impact account. Besides, for convenience, the visitors in our protocol can refresh his secret shadow without any interaction with the trusted audit agency at the new period of time, where the secret shadow will be asked while visiting a portal website.
(3) Proxy re-encryption scheme: The scheme may delegate the operation of decryption to some user via the procedure of re-encryption of ciphertext by some proxy. Our scheme improves the proxy re-encryption suggested by Ateniese et al. For the latter, two types of ciphertext are required – re-encryptable type and non- re-encryptable type for the need of the different scenarios. In our scheme, we need only one type of ciphertext. Moreover, Our scheme satisfies all the nine requirements suggested by Ateniese et al, where the requirements are essential elements while constructing proxy re-encryption scheme, and they are not all satisfied by Ateniese et al’s scheme.
The above protocols carry out three applications which can not be approached easily in terns of traditional manner based on solving discrete logarithm and factorial. Besides, systems designed with bilinear pairing do not pay more computation while compared with ones constructed by traditional manner under the same level of security. Therefore, pairing-based cryptosystem is worthy to be researched continuously.
摘 要 ……………………………………………………………. i
Abstract ………………………………………………………… iii
誌 謝 …………………………………………………………… vi
Contents ………………………………………………………… vii
1 Introduction ……………………………………………………1
2 Preliminaries …………………………………………………3
2.1 Bilinear Pairing ..............................3
2.2 Complexity Assumptions ........................4
2.3 ID-Based Cryptosystem .........................6
2.4 Certificate-Based Cryptosystem ………………………8
3 Conference Key Agreement ……………………………………11
3.1 Model and Idea .................................14
3.2 Proposed Protocol ..............................16
3.3 Existence and concrete algorithm of f ..........20
3.4 Analysis of Security ...........................22
3.5 An Example .....................................30
3.6 Performance Comparison .........................33
4 Metering Scheme ………………………………………………37
4.1 Scenario and Model ............................39
4.2 Proposed Scheme ...............................41
4.3 Analysis of Security ..........................44
4.4 Evaluation of Performance .....................48
5 Proxy Re-encryption …………………………………………50
5.1 Scenario and Model ............................51
5.2 Proposed Scheme ...............................52
5.3 Analysis of Security ..........................54
5.4 Advantages and Performance ....................56
6 Conclusion …………………………………………………….60
Bibliography ………………………………………………………62
A The Derivation of Eqs. (4.1)-(4.7) …………………….69
B Tutorial about Bilinear Pairing …………………………72
簡 歷 ………………………………………………………………83
Vita …………………………………………………………………84
[1] Ateniese, G., Fu, K., Green, M. and Hohenberger, S.: Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage. In: Proc. NDSS’05, pp. 29-43, 2005. Full version available at http://eprint.iacr.org/2005/028.
[2] Asokan, N. and Ginzboorg, P.: Key agreement in ad hoc networks. Computer Communications Vol. 23, Issue 17, pp. 1627-1637 (2000)
[3] Blundo, C., Bonis, A. D. and Masucci, B.: Metering Schemes with Pricing. In: Proc. DISC 2000, LNCS 1914, pp. 194-208, 2000.
[4] Blundo, C., Bonis, A. D., Masucci, B. and Stinson, D. R.: Dynamic Multithreshold Metering Schemes. In: Proc. SAC 2000, LNCS 2012, pp. 130-144, 2001.
[5] Blaze, M., Bleumer, G. and Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Proc. Eurocrypt ’98, volume 1403, pages 127–144 (1998)
[6] Burmester, M., Desmedt, Y.: A Secure and Efficient Conference Key Distribution System. In: Proc. Eurocrypt’94, LNCS 950, pp. 275-286 (1995)
[7] Boneh, D. and Franklin, M.: Identity-Based Encryption From The Weil Pairing. In: Proc. Crypto’01, LNCS 2139, pp. 213-229 (2001)
[8] Boyd, C. and Gonzalez Nieto, J.: Round-Optimal Contributory Conference Key Agreement. In: Public Key Cryptography - PKC 2003, LNCS 2567, pp. 161-174 (2003)
[9] Ben-Or, M., Goldwasser, S. and Wigderson, A.: Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation. In: Proc. 20th ACM Symp. Theory of Computing , pp. 1-10 (1988)
[10] Barreto, P., Kim, H. Y., Lynn, B. and Scott, M.: Efficient Algorithms for Pairing-Based Cryptosystems. In: Proc. Crypto’02, LNCS 2442, pp. 354-369 (2002)
[11] Blaze, M.: A cryptographic file system for UNIX. In: ACM Conference on Computer and Communications Security, pp. 9–16 (1993)
[[12] Bellare, M. and Rogaway, P.: Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. In: Proc. First ACM Computer and Comm. Security, pp. 62-73 (1993)
[13] Bellare, M. and Rogaway, P.: The exact security of digital signature - How to sign with RSA and Rabin. In: Proc. Eurocrypt’96, LNCS 1070, pp. 399-416 (1996)
[14] Blake, I. F., Seroussi, G. and Smart, N. P.: Elliptic Curves in Cryptography. Cambridge University Press, Cambridge (1999)
[15] Blake, I. F., Seroussi, G. and Smart, N. P.: Advances in Elliptic Curve Cryptography. Cambridge University Press, Cambridge (2005)
[16] Baek, J., Steinfeld, R. and Zheng, Y.: Formal proofs for the security of signcryption. In: Proc. of Public Key Cryptography ’02, LNCS 2274, pp. 80–98 (2002)
[17] Dodis, Y., Franklin, M. K., Katz, J., Miyaji, A. and Yung, M.: A generic construction for intrusion-resilient public-key encryption. In: Proc. of CT-RSA ’04, LNCS 2964, pp. 81–98 (2004)
[18] Diffie, W. and Hellman, M.: New Directions in Cryptography. IEEE Trans. Information Theory, Vol. 22, pp. 644-654 (1976)
[19] Dodis, Y. and Ivan, A.: Proxy cryptography revisited. In: Proc. of the Tenth Network and Distributed System Security Symposium (2003)
[20] Eisentrager, K., Lauter, K. and Monotgomery, P. L.: Fast elliptic curve arithmetic and improved Weil pairing evaluation. In: Proc. CT-RSA 2003, LNCS 2612, pp.343-354 (2003)
[21] Golle, P., Jakobsson, M., Juels, A. and Syverson, P. F.: Universal re-encryption for mixnets. In Proc. of CT-RSA ’04, LNCS 2964, pp. 163–178 (2004)
[22] Goh, E. J., Shacham, H., Modadugu, N. and Boneh, D.: SiRiUS: Securing remote untrusted storage. In Proc. of the Tenth Network and Distributed System Security Symposium, pp. 131–145 (2003)
[23] Hwang, T. L. and Chen, J. L.: Identity-Based Conference Key Broadcast Systems. In: IEE Proc. Computers and Digital Techniques, Vol. 141, no. 1, pp. 57-60 (1994)
[24] Klein, B., Otten, M. and Beth, T.: Conference Key Distribution Protocols in Distributed Systems. In: Proc. Codes and Ciphers - Cryptography and Coding IV, pp. 225-242 (1995)
[25] Koyama, K.: Secure Conference Key Distribution Schemes for Conspiracy Attack. In: Proc. Eurocrypt’92, LNCS 658, pp. 449-453 (1993)
[26] Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q. and Plutus, K. F.: scalable secure file sharing on untrusted storage. In: Proc. of the Second USENIX Conference on File and Storage Technologies (2003)
[27] Katz, J. and Shin, J. S.: Modeling Insider Attacks on Group Key-Exchange Protocols. In: ACM CCS’05, pp. 180-189 (2005)
[28] Laih, C. S., Tai, W. C. and Tu, F. K.: On the Security of The LUCAS Function. Information Processing Letters, Vol. 53, pp. 243-247 (1995)
[29] Mao, W.: Modern Cryptography - Theory and Practice. ch13-16, Prentice Hall Company, New Jersey (2004)
[30] Menezes, A.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Massachusetts (1995)
[31] Miller, V.: Short programs for functions on curve. unpublished manuscript, (1986)
[32] Mambo, M. and Okamoto, E.: Proxy cryptosystems: Delegation of the power to decrypt ciphertexts. IEICE Trans. Fund. Electronics Communications and Computer Science, E80-A/1:54–63 (1997)
[33] Menezes, A. J., Okamoto, T. and Vanstone, S. A.: Reducing elliptic curve logarithms to a finite field. IEEE Transtions on Information Theory, vol. 39, pp. 1636-1646 (1993)
[34] Masucci, B. and Stinson, D. R.: Efficient Metering Schemes with Pricing. IEEE Transtions on Information Theory, vol. 47,No. 7, pp. 2835-2844 (2001)
[35] Naor, M. and Pinkas, B.: Secure and Efficient Metering. In: Proc. Eurocrypt’98, LNCS 1403, pp.576-590 (1998)
[36] Ogata, W. and Kurosawa, K.: Provably Secure Metering Scheme. In: Proc. Asiacrypt 2000, LNCS 1976, pp. 388-398 (2000)
[37] Rabin, T. and Ben-Or, M.: Verifiable Secret Sharing and Multi-party Protocols with Honest Majority. In: Proc. 26th ACM symp. Theory of Computing, pp. 73-85 (1989)
[38] Rueppel, R. and Oorschot, P. V.: Modern Key Agreement Techniques. Computer Comm. (1994)
[39] Rosing, M.: Implementing Elliptic Curve Cryptography. Manning Publications Company, Greenwich (1999)
[40] Shamir, A.: How to Share a Secret. Comm. ACM, Vol. 22, pp. 612-613 (1979)
[41] Shimbo, A. and Kawamura, S.: Cryptanalysis of Several Conference Key Distribution Schemes. In: Proc. Asiacrypt’91, LNCS 739, pp. 265-276 (1993)
[42] Sakai, R., Ohgishi, K. and Kasahara, M.: Cryptosystems based on pairing. In: Proc. of the 2000 Symposium on Cryptography and Information Security, Okinawa, Japan (2001)
[43] Steiner, M., Tsudik, G. and Waidner, M.: Key agreement in dynamic peer groups. IEEE Trans. on Parallel and Distributed Systems, Vol. 11, Issue 8, pp. 769-780,
Aug. (2000)
[44] Steiner, M., Tsudik, G. and Waidner, M.: CLIQUES: a new approach to group key agreement. In: Proc. 18th International Conference on Distributed Computing Systems (1998)
[45] Tzeng, W. G., Tzeng and Z. J.: Round-Efficient Conference Key Agreement Protocols with Provable Security. In: Proc. Asiacrypt’00, LNCS 1976, pp. 614-627,
Dec. (2000)
[46] Tingjun, S., Yuanbo, G. and Jianfeng, M.: A fault-tolerant and secure multiconference-key agreement protocol. In: Proc. International Conference on Communications, Circuits and Systems, Vol. 1, pp. 18-21 (2004)
[47] Tzeng, W. G.: A Secure Fault-Tolerant Conference-Key Agreement Protocol. IEEE Trans. on Computers, Vol. 51, No. 4, pp. 373-379, Apr. (2002)
[48] Verheul, E. R.: Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. In: Proc. Eurocrypt’01, LNCS 2045, pp. 195-210. (2001)
[49] Wu, T. C.: Conference Key Distribution System with User Anonymity Based on Algebraic Approach. In: IEE Proc. Computers and Digital Techniques, Vol. 144, no. 2, pp. 145-148 (1997)
[50] Yanga, C. C., Changa, T. Y. and Hwang, M. S.: A new anonymous conference key distribution system based on the elliptic curve discrete logarithm problem. Computer Standards & Interfaces, Vol. 25, Issue 2, pp. 141-145, May (2003)
[51] Yi, X.: Identity-Based Fault-Tolerant Conference Key Agreement. IEEE Trans. on Dependable and Secure Computing, Vol. 1, No. 3, pp. 170-178, Jul.-Sep. (2004)
[52] Yi, X., Siew, C. K. and Tan, C. H.: A secure and efficient conference scheme for mobile communications. IEEE Trans. on Vehicular Technology, Vol. 52, No. 4, pp.
784-793, Jul. (2003)
[53] Zheng, Y.: Signcryption and its applications in efficient public key solutions. In: Proc. of ISW ’97, LNCS 1396, pp. 291–312 (1997)
[54] Zongkai, Y., Haitao, X., Wenqing, C. and Yunmeng, T.: An Identity-Based Fault-Tolerant Conference Key Distribution Scheme. In: Proc. 7th International Conference
on Parallel and Distributed Computing, Applications and Technologies (2006)
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔