On the security of a certificateless public-key encryption.

On the Security of a Certi?cateless Public-Key

Encryption

Zhenfeng Zhang,Dengguo Feng

State Key Laboratory of Information Security,

Institute of Software,Chinese Academy of Sciences,Beijing100080,P.R.China

zfzhang@57d6d80d7cd184254b3535c1

Abstract.Certi?cateless public-key cryptosystem is a recently proposed

attractive paradigm using public key cryptosystem,which avoids the key

escrow inherent in identity-based public-key cryptosystems,and does not

need certi?cates to generate trust in public keys.Recently,Al-Riyami and

Paterson proposed a new certi?cateless public-key encryption scheme[2,

3]and proved its security in the random oracle model.This paper shows

that their scheme is vulnerable to adaptive chosen ciphertext attacks,

and presents a countermeasure to overcome such a security?aw.

1Introduction

In traditional certi?cate-based public key cryptosystems,an entity’s public-key is generated from some random information that is unrelated to his identity,and hence need to be certi?ed with a certi?cate issued by a certi?cation authority. Any participant who wants to use a public-key must?rst verify the corresponding certi?cate to check the validity of the public-key.Certi?cate-based public key cryptosystems require a large amount of storage and computing time to verify and revoke certi?cates.

The notion of identity-based cryptography(id-pkc)was introduced by Shamir [7],in which the public-key of a user can be derived from his unique identi?er information.ID-pkc eliminates the certi?cates and greatly simpli?es the key management.However,an inherent problem of id-pkc is the key escrow,i.e., the private-key of each user is known to a private key generator,who can then decrypt any ciphertext and forge signature on any messages for any user.More-over,id-pkc requires a secure channel between users and pkg to deliver private keys.Because of these problems,it seems that id-pkc should be considered to be suitable only for small private network with lower security requirements.

To alleviate the problems associated with the use of identity-based cryp-tosystems and certi?cate authorities in traditional public-key cryptosystems, Al-Riyami and Paterson[1]introduced the concept of certi?cateless public key cryptography(cl-pkc).Unlike id-pkc,user’s private-key of cl-pkc schemes is

2Z.F.Zhang etc.

not generated by a Key Generation Center(kgc)alone.Instead,it is a com-bination of kgc-produced partial-private-key and an additional user-chosen se-cret.In this way,they successfully eliminate the built-in escrow properties,since kgc could not control the user’s private-key entirely.Meanwhile,cl-pkc is not identity-based any longer,and an additional public-key must be generated from user’s randomly-chosen secret information.The complex structure of this scheme also means that a user who is encrypting a message can do it without having to verify the correctness of the public key via a public key certi?cate.

A certi?cateless scheme’s security is assessed in terms of two di?erent kinds of attackers.The?rst kind of attacker(or Type I attacker)is meant to represent a normal third party attack against the con?dentiality of the system.Here,an entity in possession of all users’public keys attempts to break the IND-CCA2 security of the scheme.Due to the uncerti?ed nature of the public-keys produced by the users,we must assume that an attacker is able to replace these entities’public keys at will.This represents the attackers’ability to fool a user into sending a con?dential message using a public key that has been supplied by the attacker.The second kind of attacker represents a malicious key generation center,who is given the key generation center’s long term secret,but may not replace entities’public keys.

In2005,Al-Riyami and Paterson proposed a new certi?cateless public key en-cryption(cl-pke)scheme[2,3],whose security is proven to rest on the hardness of the Bilinear Di?e-Hellman Problem(BDHP)in the random oracle model. The new scheme is more e?cient than the original scheme[1],and then is used to constructed an e?cient certi?cate based encryption scheme[2].In this pa-per,we analyze the security of their new cl-pke scheme and show that it is vulnerable to adaptive chosen ciphertext attacks against the Type I attacker.A countermeasure is also presented to resist such an attack.

2Certi?cateless Public-Key Encryption

A certi?cateless public-key encryption scheme is de?ned by seven probabilistic, polynomial-time algorithms[1,6]:

–Setup:This algorithm takes as input a security parameter1k and returns the master private key SK and the master public key P K.The master public key de?nes a message space M and a ciphertext space C.This algorithm is run by a KGC to initially set up a system.

–Extract-Partial-Private-Key:This algorithm takes as input the master public key P K,the master private key SK,and identi?er ID∈{0,1}?.It outputs a partial private key D ID.This algorithm is run by a KGC once for each user,and the corresponding partial private key is distributed to that user in a suitably secure manner.

On the Security of a Certi?cateless Public-Key Encryption3

–Set-Secret-Value:This algorithm takes as input the master public key P K and an entity’s identi?er ID as input,and outputs a secret value x ID for that identity.This algorithm is run once by the user.

–Set-Private-Key:This algorithm takes as input the master public key P K,an entity’s partial private key D ID and an entity’s secret value x ID.It outputs the full private key sk ID for that user.This algorithm is run by the user.

–Set-Public-Key:This algorithm takes as input the master public key P K and an entity’s secret value x ID.It output a public key pk ID for that user.

This algorithm is run once by the user and the resulting pub …… 此处隐藏：15800字，全部文档内容请下载后查看。喜欢就下载吧 ……