线性映射在安全协议中的应用研究

发布时间：2018-01-16 15:12

本文关键词：线性映射在安全协议中的应用研究　出处：《西安电子科技大学》2016年博士论文　论文类型：学位论文

【摘要】：线性映射或线性对作为一个强有力的数学工具,在现代密码学中扮演着重要的角色,大量密码学方案基于各种线性映射来构造。密码学中使用的线性映射主要分为双线性映射和多线性映射,两者在现代密码学中都有相当多的应用场景。自一轮三方Diffie-Hellman密钥交换协议和基于身份的加密方案起,双线性映射方面的研究就成为了现代密码学研究的主流方向之一。此外,作为一个已经较为成熟的工具,双线性映射的典型应用还包括：基于属性的加密／签名方案,部分函数加密方案,高效的非交互零知识证明系统等。多线性映射虽然仍不是非常成熟,但作为一个前景十分光明的密码学工具,其亦在一些领域中得到了应用,如不可区分混淆。基于该密码学原语,近些年来有许多新颖的方案被构造出来。粗略地讲,线性映射的研究可以分为对线性映射本身的研究和对基于线性映射的应用方案的研究,本文主要关注后者。尽管线性映射是十分强大的密码学工具,但是它们并非万能的,也不是没有任何劣势的。一般情况下,基于线性对的方案效率都会偏低,这主要是因为群间的对运算e：G×G→GT相比普通的群内运算效率更低。因此在达到相同功能的前提下,无线性对的方案通常比依赖线性对的方案效率更高,这使得在方案构造中不使用线性对成为了密码学中的一个研究方向。该方向重在提高密码方案的效率和降低依赖的安全性假设。此外,尽管已经有很多利用线性对构造的方案,但仍有许多方案需要被设计或者仍待改进。本文主要研究基于线性映射的方案的功能和安全性假设方面。更具体的说,论文的主要贡献如下：(1)在基于函数加密的可验证计算方面。我们提出了两个基于函数加密的可验证计算方案。第一个方案基于内积加密,且该方案拥有更好的隐私性。更具体地讲,与该方向此前Parno等人的工作相比,我们的第一个方案同时达到了输入隐私和函数隐私,而他们的方案则不具备这两个优良的性质。该方案的一个不足之处就是无法支持一般电路代表的函数,而只能支持向量内积所能表达的函数。但是在现实生活中,内积函数已经足够使用。我们的第二个方案最大的特点是能够支持一般电路所代表的函数,从而极大的拓展了可代理计算的函数的范围。作为折中,我们的第二个方案无法实现输入隐私和函数隐私。为了实现输入隐私,在第二个方案的基础之上,我们发展了两种方法,从而产生了第二个方案的两个变种。尽管我们的第二个方案并未达到函数隐私,但其仍然为PKC 2014中Ananth等人提出的公开问题提供了一个部分的候选解决方案。(2)在基于身份的代理重加密方面。我们构造了两个基于身份的重加密方案。这两个方案采用了类似的思想,实现的功能相近,且均构筑于同态加密和基于身份的重加密之上。两方案之间最显著的区别是第一个方案只能支持单跳(single-hop)的重加密密文,而第二个方案则可以支持多跳(multi-hop)的重加密密文。第二个方案之所以能达到更强的特性,其与第一个方案的不同之处主要在于群元素X和底层的基于身份的加密算法,由此导致第二个方案中的同态密文计算电路更加复杂。这两个方案都能够让资源受限的用户仅需十分轻量级的工作量就能够完成重加密任务,避免了一些额外的开销,如发送一些与自己的私钥有关的信息给服务器。(3)在安全多方计算方面。我们主要提出了两个安全的计算三角形面积的三方计算协议。这两个协议除了无需线性对以外,其最大的优势体现在它们的构造模块和所依赖的安全性假设上。在构造模块方面,它们避免了不经意传输协议的使用,而后者在大多数安全多方计算协议中已经是一个必不可少的构造模块了。在安全性假设方面,我们的协议基于非常弱的安全性假设,即只需假定伪随机数发生器的存在性。最后,我们的基于模拟的证明亦具有一定的创新性,可以令敌手自适应地选择协议的结果,然后进行模拟证明。
[Abstract]:Linear or linear mapping as a powerful mathematical tool, plays an important role in modern cryptography, a large number of cryptographic schemes based on various linear mapping structure. Linear mapping used in cryptography is divided into bilinear mapping and multilinear mapping, both have considerable applications in modern cryptography since. Diffie-Hellman round of the three party key exchange protocol and identity based encryption scheme, the research of bilinear mapping has become one of the mainstream of modern cryptography. In addition, as a mature tool, the typical application of bilinear mapping include: encryption and signature scheme based on attribute function, some efficient encryption scheme. Non interactive zero knowledge proof system. Multi linear mapping is still not very mature, but as a very bright prospects for cryptography The tool also has been applied in some fields, such as do not distinguish the confusion. The cryptographic primitives based on, in recent years there are many novel schemes are constructed. Roughly speaking, the study of linear mapping can be divided into the study of the linear mapping itself and the application of linear mapping scheme based on this paper attention to the latter. Although linear maps are very powerful tools in cryptography, but they are not omnipotent, is not without any disadvantage. In general, the scheme of linear based efficiency will be lower, this is mainly because the groups of e:G * G, GT operation compared with the ordinary group. Therefore lower operation efficiency on the premise of achieving the same function, non linear of scheme is higher than linear dependence on the system efficiency, which makes the use of linear structure in the program has become a research direction in cryptography The direction is to improve the efficiency of the password. The scheme and reduce the security assumptions dependent. In addition, although there are many linear schemes on the structure, but there are still many schemes need to be designed or should be improved. This thesis focuses on the linear mapping scheme of function and safety. Assuming more specifically the main contributions of this thesis are as follows: (1) the function of encryption based on verifiable calculation. We propose two function encryption scheme based on verifiable calculation. The first scheme is based on the inner product of encryption, privacy and the scheme has better. More specifically, compared with the previous direction of the work of Parno et al. Our first scheme at the same time the input function of privacy and privacy, and their plans do not have these two properties. One drawback of the program is to support the general circuit on behalf of The function, function and can only support vector inner product can express. But in real life, the inner product function has been enough to use. The biggest feature of our second scheme is able to support the function represented by the general circuit, which greatly expanded the scope of function calculation agent. As a compromise, we second cannot realize the input of privacy and privacy. In order to realize the function of input privacy, on the basis of the second schemes, we develop two methods, resulting in two varieties of second schemes. Although our second case did not achieve the function of privacy, but provides a part of the candidate is still open PKC 2014 in Ananth et al. Proposed solutions. (2) in the identity based proxy re encryption. We construct two heavy identity based encryption scheme. This scheme uses a class of two Like thoughts similar functions, and are based on homomorphic encryption and re encryption based on identity. The most significant difference between the two schemes is the first scheme can only support single hop (single-hop) re encrypted ciphertext, while the second scheme can support multi hop (multi-hop) re encrypted ciphertext second. A scheme can achieve better characteristics, the difference with the first scheme is the main group elements and underlying X identity based encryption algorithm, resulting in second scheme homomorphism ciphertext calculation circuit more complicated. The two scheme can make the resource constrained users only need very lightweight workload can to complete the re encryption task, to avoid some additional expenses, such as information about the private key and send some of their own server. (3) in the secure multi-party computation. We mainly put forward two. All the three party triangle area computing protocol. The two protocols except without the linear of, its biggest advantage is reflected in the structure of their module and safety depends on the assumption. In constructing module, they avoid the use of oblivious transfer, and the latter in the most secure multi-party computation protocol is an essential structural module. In the security assumption, we assume the security protocol based on very weak, which only needs to assume the existence of a pseudo random number generator. Finally, we prove that based on simulation also has certain innovation, can make the match selection protocol adaptively results then, simulation is proved.

【学位授予单位】：西安电子科技大学
【学位级别】：博士
【学位授予年份】：2016
【分类号】：TN918.1

【相似文献】