具代理授權特性的可轉換鑑別加密方法

Abstract

在日常的生活中，數位簽章及公開金鑰加密是保護線上交易安全的二種常用機制。前者確保鑑別性與不可否認性，後者則保障機密性。 欲提供密碼方法同時具備機密性與鑑別性，鑑別加密方法是一較佳的選擇，與直接簽章再加密的方式相較，鑑別加密法可提升效率與降低通訊成本。此方法允許簽署者產生一鑑別加密訊息，使得僅特定驗證者有能力來解密此訊息並驗證其對應的簽章。可轉換鑑別加密方法不僅具備上述所提的特性，當發生事後的否認爭議時，更提供額外的簽章轉換機制使任意人信服簽署者的不誠實。 代理簽章方法允許一位被授權者，稱為代理簽署者，根據事先定義好的簽署策略，代表原始簽署者產生合法的代理簽章。在本論文中，作者提出三種具代理授權特性的可轉換鑑別加密方法，分別植基於RSA、CDHP、BDHP不同的密碼假設難題。所提之方法允許一位代理簽署者代表原始簽署者產生一合法的鑑別加密訊息，同時僅有一位特定接收者有能力解密並驗證其對應的代理簽章。由於轉換後的原始代理簽章會在訊息回復與驗證簽章的過程中被運算出來，因此簽章轉換的程序相當簡單，而且可由特定驗證者在不需額外計算或通訊成本的情況下獨立完成。我們也提出一個群體導向的變形方法，其允許一個由n位原始簽署者組成的群體授權他們的簽署能力給一位代理簽署者，來代表此原始簽署群體產生鑑別加密訊息。為了方便大訊息的加密，作者進一步提出藉由將一個大訊息切割為多個小訊息區塊的具訊息鏈結的變形方法。 與之前的文獻相比，所提的方法不僅有較低的計算成本，同時亦提供較佳的功能性。此外，在抵抗調整式選擇密文攻擊的機密性安全需求與抵抗調整式選擇訊息攻擊的不可偽造性安全需求，也在random oracle模型下證明。

In modern daily life, digital signatures and public key encryptions are two commonly applied mechanisms for protecting the security of on-line transactions. The former ensures authenticity and non-repudiation while the latter guarantees confidentiality. To simultaneously provide cryptographic schemes with confidentiality and authenticity, an authenticated encryption (AE) scheme is a better alternative for promoting efficiency and reducing communication overheads as compared to the straightforward sign-then-encrypt method. Such schemes allow a signer to produce an authenticated ciphertext, such that only a designated recipient has the ability to decrypt the ciphertext and verify its corresponding signature. Convertible authenticated encryption (CAE) schemes not only inherit the characteristic mentioned above, but also provide additional signature conversion mechanism to convince anyone of signer’s dishonesty when a later dispute occurs. Proxy signature schemes allow an authorized person called proxy signer to generate proxy signatures on behalf of an original signer according to the predefined signing policy. In this dissertation, the author proposes three CAE schemes with proxy delegation based on different cryptographic assumptions, i.e., RSA, CDHP, BDHP, respectively. The proposed schemes allow a proxy signer to generate a valid authenticated ciphertext on behalf of an original signer and only the intended recipient is capable of decrypting it and verifying the corresponding proxy signature. The signature conversion is rather simple and can be solely done by the designated recipient with neither extra computation costs nor communication overheads, since the converted proxy signature will be derived during the message recovery and signature verification phase. We also present a group-oriented variant which enables an original group consisting of n signers to delegate their signing power to a proxy signer such that the latter can generate an authenticated ciphertext on behalf of the former. For facilitating the encryption of a large message, the author further introduces the other variant with message linkages by dividing a large message into many small message blocks. As compared with previous works, the proposed schemes not only have lower computation costs, but also provide better functionalities. Additionally, the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and that of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) are proved in the random oracle model.