Certificateless Public Key Encryption Without pairing
一个新的无证书环签密方案
一个新的无证书环签密方案侯红霞;何业锋【摘要】近年来,为了解决基于传统公钥密码系统中证书的使用问题和基于身份密码体统中固有的密钥托管问题,无证书公钥密码系统的概念被引进.文中基于双线性对提出了一个新的无证书环签密方案,使得消息能够以一种匿名的方式被发送并同时具有保密性和认证性,接收方仅知道消息来自于某个群体,但不能确认是这个群体中的哪个成员.在随机预言模型下,基于决定性双线性Diffie-Hellman困难问题假设,文中方案是安全的.较之传统的“先签名后加密”的模式,文中方案更加有效.%Recently, in order to eliminate the use of certificates in certified public key cryptography and the key-escrow problem in identity based cryptography.the notion of certificateless public key cryptography was introduced. In this paper,a new certificateless ring signcryption scheme based on bilinear pairing is proposed. Hie message can be sent anonymously,authentication and confidentiality are guaranteed simultaneously in the scheme. The recipient can be convinced that the message has been sent by one of the members in this group, but the actual sender remains unknown. The scheme is proved to be secure in the random oracle model under the hardness assumptions of the decisional bilinear Diffie-Hellman problem. Compared with the traditional" signature men encryption" paradigm,this scheme is more effective.【期刊名称】《计算机技术与发展》【年(卷),期】2012(022)007【总页数】4页(P151-153,173)【关键词】无证书公钥密码体制;环签名;签密;Diffie-Hellman问题【作者】侯红霞;何业锋【作者单位】西安邮电学院通信与信息工程学院,陕西西安710121;西安邮电学院通信与信息工程学院,陕西西安710121【正文语种】中文【中图分类】TP309.70 引言在传统的基于PKI的公钥密码系统中,需要通过数字证书来保障用户公钥的合法性。
密钥管理和PKI技术
Self-Escrowed PKI [96]
提供标准的PKI功能的同时,具备恢复用户私钥的能力 相关概念提出较早[97],[96]设计更高效算法
WSN密钥管理
计算资源受限,通常采取预先分发共享对称 密钥的思路 解决问题
提高连通性,尽可能使任意2节点都能密钥协商 减少存储需求
近年来的研究热门
WSN密钥管理的近年进展
随机分发,E-G密钥管理方案[64]
改进方案[65, 66] 相关的攻击[67]
有先验知识的管理方案
相关通信协议和攻击
设计相应的通信协议,从而支持在网络用户 之间进行秘密分享[49-52] 文献[58]从博弈论的角度来讨论了秘密分享 过程中的相关攻击
秘密分享——视觉秘密分享
视觉秘密分享Visual Secret Sharing
将一幅秘密图片分解为n幅份额图片
份额图片可能是接近白噪声的随机图片,也可能是 有意义的不同图片
密钥协商协议
DH协议[1]
离散对数难题 但是,存在着中间人攻击问题
MQV协议[5]
改进DH协议,加入了身份鉴别功能
防止中间人攻击问题
IEEE P1363标准
其它DH协议的改进[6-11]
[7]改进MQV协议,提供可证明安全性
密钥分发
由管理中心来协助负责或协助用户来建立共 享密钥 近年的相关进展
相关通信协议和攻击 视觉秘密分享
Android应用安全开发之浅谈加密算法的坑
Android应用安全开发之浅谈加密算法的坑作者:阿里移动安全@伊樵,@舟海阿里聚安全,一站式解决应用开发安全问题Android开发中,难免会遇到需要加解密一些数据内容存到本地文件、或者通过网络传输到其他服务器和设备的问题,但并不是使用了加密就绝对安全了,如果加密函数使用不正确,加密数据很容易受到逆向破解攻击。
还有很多开发者没有意识到的加密算法的问题。
1、需要了解的基本概念密码学的三大作用:加密(Encryption)、认证(Authentication),鉴定(Identification)加密:防止坏人获取你的数据。
认证:防止坏人修改了你的数据而你却并没有发现。
鉴权:防止坏人假冒你的身份。
明文、密文、密钥、对称加密算法、非对称加密算法,这些基本概念和加密算法原理就不展开叙述了。
2、Android SDK提供的API2.1 Android 加密相关API结构Android SDK使用的API和JAVA提供的基本相似,由Java Cryptography Architecture (JCA,java加密体系结构) ,Java Cryptography Extension (JCE,Java 加密扩展包) ,Java Secure Sockets Extension(JSSE,Java安全套接字扩展包),Java Authentication and Authentication Service(JAAS,Java 鉴别与安全服务)组成。
JCA提供基本的加密框架,如证书、数字签名、消息摘要和密钥对产生器,对应的Android API中的以下几个包:JCE扩展了JCA,提供了各种加密算法、摘要算法、密钥管理等功能,对应的Android API中的以下几个包:JSSE提供了SSL(基于安全套接层)的加密功能,使用HTTPS加密传输使用,对应的Android API主要是.ssl包中。
JAAS 提供了在Java平台上进行用户身份鉴别的功能。
无证书可搜索加密方案的研究及应用
无证书可搜索加密方案的研究及应用无证书可搜索加密方案的研究及应用随着互联网的快速发展和大数据时代的到来,数据的安全性和隐私保护的需求日益凸显。
而在这个背景下,无证书可搜索加密方案应运而生。
该方案通过将数据进行加密,同时保持其可搜索性,从而在保护数据安全的同时,满足用户对数据的检索需求。
无证书可搜索加密方案最早在2000年由Dan Boneh等人引入,并在此后的几十年里得到了广泛的研究和应用。
该方案基于对称加密和哈希函数技术,能够实现在加密的数据集中进行关键字搜索,而不泄露数据的明文内容。
相对于传统的加密方案,无证书可搜索加密方案具有以下几点优势:首先,该方案能够保护数据的隐私性。
在无证书可搜索加密方案中,数据在上传前被加密,只有用户具备正确的密钥才能对数据进行解密,因此能够有效地防止未授权人员获取数据内容。
其次,该方案兼顾了数据的可搜索性和保护性。
在传统的加密方案中,为了保护数据的安全,常常需要将数据完全加密,导致用户无法对数据进行搜索。
而无证书可搜索加密方案通过巧妙地将数据进行加密,并引入索引结构,使得用户在保护数据安全的同时,仍然能够进行关键字搜索。
再次,该方案具有良好的实用性和灵活性。
在无证书可搜索加密方案中,用户可以在不暴露明文数据的前提下进行关键字搜索,从而实现对数据的有效管理和利用。
此外,该方案可以适用于各种数据类型和应用场景,包括文本、图像、视频等。
然而,无证书可搜索加密方案也存在一些潜在的问题和挑战。
首先,该方案在保护数据安全的同时,可能会引入搜索的开销。
由于数据被加密,用户在进行搜索时需要进行加密和匹配操作,导致搜索效率相对较低。
其次,该方案对于数据更新和扩展的支持还比较有限,一旦数据发生变化,需要重新构建索引结构,并重新加密数据,从而产生较大的计算和存储开销。
针对以上问题,近年来研究者们提出了一系列改进和优化方案。
其中,引入陷门函数和谓词密码学是两个重要的研究方向。
陷门函数可以将用户的搜索关键字转化为陷门(trapdoor),从而加速搜索操作;而谓词密码学可以提供更加灵活的搜索能力,通过在token(代表数据项的加密形式)上施加谓词操作来实现特定的搜索需求。
publickey,gssapi-with-mic意思
publickey,gssapi-with-mic意思公钥(public key)是用于加密和解密数据的密码学中的一种非对称密钥。
在公钥加密中,加密和解密使用不同的密钥。
公钥可以自由传播,任何人都可以使用公钥将消息加密。
但是,只有私钥持有人可以解密消息。
这种加密方式被广泛应用于互联网通信中的安全机制。
GSSAPI是一种通用安全服务应用程序接口(Generic Security Services Application Program Interface),其目标是为各种客户端/服务器应用程序提供可扩展且可重用的安全服务。
该接口定义了通用的安全交互协议,以便各种安全机制(例如Kerberos,Public Key Infrastructure(PKI)等)可以无缝地集成到应用程序中。
GSSAPI-with-Mic(Message Integrity Check)是GSSAPI的一个扩展,用于为传输的数据提供保密性和完整性。
MIC是一种验证机制,用于检查消息在传输过程中被篡改的可能性。
此机制允许通信实体验证其对等通信实体真正发送了消息,以便防止恶意攻击。
这是以加密和签名的形式完成的。
公钥和GSSAPI-with-Mic是现代通信中非常重要的两个概念。
公钥加密算法提供了一种非常有效的加密技术,可以保证数据的机密性。
同时,GSSAPI-with-Mic提供了完整性保护,以确保通信和数据在传输过程中不受干扰。
在现代通信中,这两个技术被广泛应用于各种应用程序中,使得信息传输更加安全和可靠。
例如,SSL(Security SocketLayer)和SSH(Secure Shell)协议使用了上述技术以确保通信安全。
在SSL中,客户端和服务器之间交换的所有消息都将使用公钥加密算法加密。
这样做可以保证机密性,以防止非法第三方偷听信息。
同时,每个消息将带有一个数字签名,以确保消息的来源和完整性。
这样做可以防止恶意攻击和篡改。
无证书数字签名体制概述
无证书数字签名体制概述鞠琳娜;欧海文【摘要】无证书公钥密码体制下的数字签名技术既解决了传统公钥密码体制的证书管理问题,又避免了基于身份公钥密码体制的密钥托管问题,具有很好的研究特性。
本文主要对无证书数字签名进行了简单的分析。
%Certificateless public key cryptography system of digital signature technology solves the management problem of traditional public--key cryptosystem certificate , and it also avoids key escrow issues of identity--based public--key cryptography. Therefore it is highly valuable in theory and practice to anyalyze certificateless public key cryptography system of digital signature technology. This article gives a brief introduction and analysis of certificateless digital signature.【期刊名称】《北京电子科技学院学报》【年(卷),期】2011(019)004【总页数】5页(P30-34)【关键词】无证书密码学;数字签名【作者】鞠琳娜;欧海文【作者单位】西安电子科技大学、通信工程学院陕西,西安中国710071;北京电子科技学院,北京中国100070;西安电子科技大学、通信工程学院陕西,西安中国710071;北京电子科技学院,北京中国100070【正文语种】中文【中图分类】TN918.11 引言无证书公钥密码(CL-PKC)是Al-Riyami和Paterson在2003年提出的一种新的公钥密码系统,这种密码体制是介于传统基于传统PKI的公钥密码体制和基于身份的公钥密码体制(ID-PKC)之间,其避免了ID-PKC中密钥托管的问题,又能够降低传统基于PKI的密码体制的复杂度,如证书认证的消耗。
General Certificateless Encryption and Timed-Release Encryption
General Certificateless Encryptionand Timed-Release EncryptionSherman S.M.Chow1 ,Volker Roth2,and Eleanor G.Rieffel21Department of Computer ScienceCourant Institute of Mathematical SciencesNew York University,NY10012,USAschow@2FX Palo Alto Laboratory3400Hillview AvenuePalo Alto,CA94304,USA{vroth,rieffel}@Abstract.Recent non-interactive timed-release encryption(TRE)schemes can be viewed as beingsupported by a certificateless encryption(CLE)mechanism.However,the security models of CLE andTRE differ and there is no generic transformation that turns a CLE into a TRE.In this paper,we givea generalized model for CLE that is also sufficient to fulfill the requirements of TRE.Our model is secure against an adversary with adaptive trapdoor extraction capabilities for arbitraryidentifiers(instead of selective identifiers),decryption capabilities for arbitrary public keys(as consid-ered in strongly-secure CLE)and partial decryption capabilities(as considered in security-mediatedcertificateless encryption,or SMCLE).Our model also supports hierarchical identities,which have notbeen considered formally in paradigms of TRE and CLE.We propose a concrete scheme under our generalized model and prove it secure without random ora-cles.Our proposal yields thefirst strongly-secure SMCLE and thefirst TRE in the standard model.Inaddition,our technique of partial decryption is different from the previous approach.Key words:security-mediated certificateless encryption,timed-release encryption1IntroductionThe distinguishing feature of identity-based encryption(IBE)(e.g.[7,12,17,18,29–31,46])is that a public key can be derived from any arbitrary string that acts as an identifier(ID).There exists a trusted authority, called a key generation center(KGC),which is responsible for the generation of the ID-based private key on demand.Since the birth of practical constructions of IBE,we see many cryptographic schemes borrowing the idea of IBE for other security goals(e.g.broadcast encryption[9]and oblivious transfer[31]).This paper studies two of them:certificateless encryption(CLE)[2–4,44,19,21,23,24,37,42]and timed-release encryption(TRE)[6,14–16,20,22,25,32,34].Our main result provides a transformation from a generalized CLE to a TRE.CLE is intermediate between IBE and traditional public key encryption(PKE).Traditional PKE requires a certification infrastructure but allows users to create their own public/private key pairs so that their private keys are truly private.Conversely,IBE avoids the need for certificates at the expense of adding a KGC that generates the private keys which means the KGC has the capability to decrypt all messages.CLE combines the advantages of both:no certificates are needed and messages can only decrypted by the recipient.Generally, CLE is constructed by combining IBE and PKE.The existence of the PKE component means that the KGC cannot decrypt messages.Instantaneous revocation is difficult for typical CLE schemes.Security-mediated certificateless encryption(SMCLE)addresses this issue.Here we give thefirst strongly-secure SMCLE in the standard model.Our scheme also supports hierarchical identities.This research is done while the author was a research intern of FX Palo Alto Laboratory.In TRE,the sender encrypts the message under a public key and a time,so knowledge of both the matching private key and a time-dependent trapdoor are necessary for decryption.A time-server is trusted to keep a time-dependent trapdoor confidential until an appointed time,so that the recipient cannot decrypt prior to that time.A feature of modern TRE schemes is that the sender need only interact with the time-server once.Apart from the obvious application of delayed release of information,the need for sending a ciphertext into the future supports other applications which can be classified into two categories:rapid dissemination of information and commitment of confidential information.With TRE,one can send bulky ciphertexts ahead of time.When the information should be made public,a small trapdoor can be widely distributed.Because the size of the time-dependent trapdoor is small compared with the ciphertext(and the text message),this approach avoids the problem of any network impedance at the release time.Applications include release of stock market values,strategic business plans,news agencies timed publications,licensed software updates, scheduled payments,or“casual”applications like internet mitment of confidential information is needed in many scenarios,such as sealed-bid auction,electronic lotteries,legal will,certified e-mail[34]etc. Text encrypted using TRE can be viewed as a kind of commitment made by the sender;once the ciphertext is sent,the sender cannot change the message that will be received.Our generalized CLE model,together with our method for converting a generalized CLE to a TRE, provides thefirst TRE proven secure in the standard model.1.1The difficulty of converting between CLE and TREA practical TRE requires the system parameter size to be small compared with the number of supported time periods.This is where the relation with IBE comes into the play.By treating the identities as time periods, IBE gives rise to a time-based unlock mechanism(e.g.[7,40,41]).However,this approach only supports universal disclosure of encrypted documents since one trapdoor can decrypt all ciphertexts for a specific time.In other words,the inherent key-escrow property of IBE prohibits the encryption for a designated receiver.Since CLE is an“escrow-free version”of IBE,and both TRE and CLE are a kind of double-encryption, it is natural to think CLE is what we are looking for to realize a TRE.While most recent non-interactive TRE schemes can be seen as converted from a corresponding implicit CLE mechanism,a generic conversion is not known.Despite similarities in syntax and functionality,as has been pointed out in[14],a generic transformation from CLE to TRE is unlikely to be provable secure.Difficulty in reducing the confidentiality of TRE to that of CLE arises when the adversary is a“curious”time-server.In CLE,each user is determined by a combination of an identity and a public key,which means an identity is only associated to a certain public key.In CLE,a curious KGC is not allowed to replace the public key associated with an identifier (otherwise,decryption of the ciphertext will be trivial since it holds both pieces of secrets).On the other hand,a time identifier is never bound to any public key in TRE,which means that the public key associated with a time identifier can be replaced.There is no way to simulate this implicit public key replacement when the CLE is viewed as a black box.Section2.2provides four examples of CLE[4,36,42,44]which cannot be trivially extended to TRE.1.2Our ContributionsThe generalized model for CLE given here overcomes the difficulties described in[14]and has sufficient power to fulfill the requirements of TRE.Our model is secure against an adversary with adaptive trapdoor extraction capabilities for arbitrary identifiers(instead of selective identifiers,e.g.[7,42]),decryption capabil-ities for arbitrary public keys(as considered in strongly-secure CLE[24])and partial decryption capabilities (as considered in security-mediated certificateless encryption,or SMCLE[21]).Our model also supports hierarchical identities which have not been considered formally for CLE and TRE.We propose a concrete construction under our generalized model.All existing concrete TRE schemes[6, 14–16,20,22,25,32,34]and the only concrete SMCLE scheme[21]are proven in the random oracle model.It is true that the generic construction of SMCLE[21]can be instantiated by an IBE and a PKE without random2oracles,nevertheless,the resulting scheme is not strongly-secure.Our proposal yields thefirst strongly-secure SMCLE and thefirst TRE in the standard model.Moreover,our technique of partial decryption is different from that in[21].2Related Work2.1Timed-Release EncryptionThe concept of timed-release cryptographic protocols was suggested by May[39]in1993,and further studied by many researchers including[5,8,26,27].Early TRE schemes require interaction with the time-server. Rivest et al.’s idea[43]requires senders to reveal their identities and the messages’release-time in their interactions with the server.In Di Crescenzo et al.’s scheme[22],the job of interacting with the time-server is moved from the sender to the receiver since a“conditional oblivious transfer protocol”will be executed between the server and the receiver.Such a protocol ensures that if the release-time is greater than the current time(the condition),the receiver learns nothing(obliviousness).However,this protocol[22]is computationally intensive and thus vulnerable to denial-of-service attacks.Thefirst attempt to construct a non-interactive and user-anonymous TRE was made in[6].A concrete construction is provided,but not supported by a formal security model and security properties are only argued for heuristically.The formal security model of message confidentiality is later considered independently by Cheon et al.[20]and Cathalo-Libert-Quisquater[14].The former focuses on authenticated TRE.The latter claims to have a stronger model than the implicit non-authenticated version of[20].Cathalo-Libert-Quisquater[14]also formalizes the release-time confidentiality,but not recipient-anonymity.The recovery of past time-dependent trapdoors from a current trapdoor is studied in[16]and[41],which employs a hash chain and a tree structure[13]respectively.A special class of TRE scheme supports pre-open capability:the sender can help the recipient to decrypt the ciphertext early by publishing a pre-open key.Since the pre-open key is held by the sender,by manip-ulating the pre-open key,the sender might be able to control somehow what message is ing a TRE with pre-open capability as a way to commit confidential information requires the TRE scheme to be binding(see Appendix C).The study of the pre-open capability was initiated in[34]and improved by[25].Recently,Chalkias et al.proposed an efficient TRE scheme[15].They claim their scheme is the most computationally efficient one for unknown recipients.However,we show in Appendix E that the confidential-ity of their scheme can be broken by a curious time-server.A plausiblefix makes the decryption algorithm of their scheme less efficient and lessens the purported comparative advantage.The time-lock puzzle approach[43]provides a way to realize TRE without a trusted server:delayed release is obtained by requiring the recipient to invest significant computational effort to solve a difficult problem.However,not only is this approach computationally expensive,but the release-time is not precisely controllable.2.2Certificateless EncryptionCertificateless cryptography was suggested by Al-Riyami and Paterson[2]in2003.We need a basic under-standing of the security model to understand the contribution of different proposals.An extensive survey of CLE including various security models can be found in[23].Two types of adversaries are considered in certificateless cryptography.A Type-I adversary models coalitions of rogue users without the master secret. Due to the lack of a certificate,the adversary is allowed to replace the public keys of users at will.A Type-II adversary models a curious KGC who has the master key but cannot replace the public keys of any users.In Al-Riyami and Paterson’s security model for the encryption[2],a Type-I adversary can ask for the decryption of a ciphertext under a replaced public key.Schemes secure against such attacks are called“strongly-secure”[24],and the oracle is termed a“strong decryption oracle”.A weaker type of adversary,termed Type-I−, can only obtain a correct plaintext if the ciphertext is submitted along with the corresponding private key.Thefirst CLE scheme by Al-Riyami and Paterson[2]is secure against both Type-I and Type-II adversary in the random oracle model.Many generic constructions of CLE from IBE and PKE exist,some later shown3to be insecure[28,37,42],while others[19,37]rely on the random oracle heuristics.The authors later proposed a more efficient CLE scheme in[3],which has been shown to be insecure[19,48].It is believed [36,38,42]that[38]gives thefirst CLE in the standard model.However,it is possible to instantiate a prior generic construction in[21]with a PKE and an IBE in the standard model to obtain a secure CLE without random oracles.Both[38]and the instantiation of[21]are only secure against Type-I−attacks.Based on [29],a selective-ID secure CLE without random oracles is proposed in[42].This scheme cannot be trivially extended to a TRE since the user’s public key is dependent on the identity,but a user’s public key is never coupled with a single time-identifier in TRE.Recently,thefirst strongly-secure CLE secure against Type-I adversaries in the standard model is proposed in[24].Al-Riyami and Paterson scheme is also the basis for the hierarchical CLE described in[2].However, neither a security model nor a security proof are given for this hierarchical extension.We are not aware of any literature with formal work on hierarchical CLE,particularly none proven secure in the standard model.A CLE that does not use pairings is proposed in[4].However,the reduction used in the security proof does not hold up if the public key associated with the challenge ciphertext can be replaced.Another CLE proposal without pairing[36]uses similar ideas.No formal evidence was provided to show prove the scheme secure under public key replacement,but this limitation was recently removed by[44].To replace the pairing, these schemes make part of the user’s public key dependent on the identity-specific trapdoor given by the KGC,which means TRE cannot be obtained trivially from these constructions.Security-mediated certificateless encryption(SMCLE),introduced by Chow,Boyd and Gonz´a lez Nieto [21],adds a security-mediator(SEM)who performs partial decryption for the user by request.This idea gives another variant for the decryption queries in the CLE paradigm:the adversary can ask for partial decryption results under either the SEM trapdoor generated by the KGC or the user private key.Intuitively,the notion of SMCLE is more general than that of CLE since two partial decryption algorithms can always be combined into a single one,but the converse is not necessary true(see Section3.4).A concrete construction in the random oracle model and a generic construction in the standard model are proposed in[21].Prior to our work,no strongly-secure SMCLE existed that had been proven secure in the standard model.3General Security-Mediated Certificateless EncryptionWe propose a new definition of the(security-mediated)certificateless encryption.We will also highlight the relationship between our definition and existing definitions.3.1NotationWe use an ID-vector # »ID=(ID1,ID2,···,ID L)to denote a hierarchy of identifiers(ID1,ID2,···,ID L).Thelength of # »ID is denoted by|# »ID|=L.Let# »ID||ID r denote the vector(ID1,ID2,···,ID L,ID r)of length|# »ID|+1.We say that # »ID is a prefix of# »ID if|# »ID|≤|# »ID |and ID i=ID i for all1≤i≤|# »ID|.We use∅to denote anempty ID-vector where|∅|=0and∅||ID r=ID r.Finally,we use the notation({0,1}n)≤h to denote the set of vectors of length less than or equal to h,where each component is a n-bit long bit-string.3.2SyntaxExtending the definition of a1-level SMCLE scheme[21],we define an h-level SMCLE scheme as follows. Definition1.An h-level SMCLE scheme for identifiers of length n(where h and n are polynomially-bounded functions)is defined by the following sextuple of PPT algorithms:–Setup(run by the server)is a probabilistic algorithm which takes a security parameter1λ,outputs a master secret key Msk,which can also be denoted as d∅,and the global parameters Pub.We assume that λ,h=h(λ)and n=n(λ)are implicit in Pub and all other algorithms take Pub implicitly as an input.4–Extract (run by the server or any one who hold a trapdoor)is a possibly probabilistic algorithm which takes a trapdoor d # »ID corresponding to an h -level identity # »ID ∈({0,1}n )≤h ,and a string ID r ∈{0,1}n ,outputs a trapdoor key d # »ID ||ID r associated with the ID-vector # »ID ||ID r .The master secret key Msk is a trapdoor corresponding to a 0-level identity.–KeyGen (run by a user)is a probabilistic algorithm which generates a public/private key pair (pk u ,sk u ).–Enc (run by a sender)is a probabilistic algorithm which takes a message m from some implicit message space,an identifier # »ID ∈({0,1}n )≤h ,and the receiver’s public key pk u as input,returns a ciphertext C .–Dec S (run by the one who hold the trapdoor,either a SEM in SMCLE or a receiver in CLE)is a possiblyprobabilistic algorithm which takes a ciphertext C and the trapdoor key d # »ID as input,returns either a token D which can be seen as a partial decryption result of C ,or an invalid flag ⊥(which is not in themessage space).–Dec U (run by a receiver)is a possibly probabilistic algorithm which takes the ciphertext C ,the receiver’s private key sk u and a token D as input,returns either the plaintext,an invalid flag ⊥D denoting D is an invalid token,or an invalid flag ⊥C denoting the ciphertext is invalid.For correctness,we require that Dec U (C,sk ,Dec S (C,Extract (Msk ,# »ID )))=m for all λ∈N ,all (Pub ,Msk )$←Setup (1λ),all (pk ,sk )$←KeyGen ,all message m ,all ID-vector # »ID in ({0,1}n )≤h and all C $←Enc (m,# »ID,pk ).3.3SecurityEach adversary has access to the following oracles:1.An ExtractO oracle that takes an ID-vector # »ID ∈({0,1}n )≤h as input and returns its trapdoor d # »ID .2.A DecO S oracle that takes a ciphertext C and an ID-vector # »ID ,and outputs Dec S (C,d # »ID ).Note that C may or may not be encrypted under # »ID .3.A DecO U oracle that takes a ciphertext C ,a public key pk and a token D ,and outputs Dec U (C,sk ,D )where sk is the secret key that matches pk .4.A DecO oracle that takes a ciphertext C ,an ID-vector # »ID ,and a public key pk ,and outputs Dec U (C,sk ,D )where sk is the secret key that matches pk and D =Dec S (C,d # »ID ).Note that C may or may not be en-crypted under # »ID and pk .Following common practice,we consider the two kinds of adversaries.1.A Type-I adversary that models any coalition of rogue users,and who aims to break the confidentiality of another user’s ciphertext.2.A Type-II adversary that models a curious KGC,who aims to break the confidentiality of an user’s ciphertext3.We use the common security model in which the adversary plays a two-phased game against a challenger.The game is modeled by the experiment below,for X ∈{I ,II },denoting whether an PPT adversary A =(A find ,A guess )is of Type-I or Type-II.The allowed oracle queries O and the auxiliary information Aux depends on X .Definition 2.Experiment Exp CCA −X A(λ)(Pub ,Msk )$←Setup (1λ)(m 0,m 1,pk ∗,# »ID ∗,state )$←A O find (Pub ,Aux )b $←{0,1},C ∗$←Enc (m b ,# »ID ∗,pk ∗)b $←A O guess (C ∗,state )If (|m 0|=|m 1|)∨(b =b )then return 0else return 13We do not explicitly consider a rogue SEM since this type of adversary is weaker than the Type-II adversary.5where O refers to a set of four oracles ExtractO (·),DecO S (·,·),DecO U (·,·,·),DecO (·,·,·).Those variables marked with ∗are basically about the challenge of the adversary.The adversary chooses a public key pk ∗and an ID-vector # »ID ∗to be challenged with,and the challenger returns C ∗to the adversary as the challenge ciphertext.The two definitions below basically prohibit the adversary from trivially cheating by using the oracles to query for the answer to (parts of)the challenge.Definition 3.A hierarchical security-mediated certificateless encryption scheme is (t,q E ,q D , )IND-CCA secure against a Type-I adversary if |Pr[Exp CCA −I A (λ)=1]−12|≤ for all t -time adversary A making at most q E extraction queries and q D decryption queries (of any type),subjects to the following constraints:1.Aux =∅,i.e.no auxiliary information is given to the adversary.2.No ExtractO (# »ID )query throughout the game,where # »ID is a prefix of # »ID ∗.3.No DecO S (C ∗,# »ID ∗)query throughout the game.4.No DecO (C ∗,# »ID ∗,pk ∗)query throughout the game.Definition 4.A hierarchical security-mediated certificateless encryption scheme is (t,q K ,q D , )IND-CCA secure against a Type-II adversary if |Pr[Exp CCA −II A (λ)=1]−12|≤ for all t -time adversary A making at most q D decryption queries (of any type),subjects to the following conditions:1.Aux =(Msk ,{pk ∗1,···,pk ∗q K }),i.e.the master secret key and a set of challenge public key pk ∗is given to the adversary.2.pk ∗∈{pk ∗1,···,pk ∗q K },i.e.the challenge public key must be among the set given by the challenger.3.No DecO U (C ∗,pk ∗,D )query throughout the game,where D is outputted by the algorithm Dec S (C ∗,d # »ID ∗).4.No DecO (C ∗,# »ID ∗,pk ∗)query throughout the game.Since Msk is given to the adversary,and it is natural to assume the adversary to know the secret key corresponding to any adversarially-chosen public key;the challenge public key must be in the set given by the challenger.Nevertheless,our definition places no restriction on the public key supplied to the decryption oracle,i.e.the decryption oracle should work even if the public key is adversarially chosen and the corre-sponding private key is not supplied.It is easy to weaken the strong decryption oracle to one corresponding to the Type-I −attack by placing the below restriction in Definition 3.5.(Type-II −)No DecO (C,# »ID,pk )query throughout the game where pk /∈{pk ∗1,···pk ∗q K },unless the cor-responding private key sk is supplied when the DecO query is made.Definition 3can also be easily modified to Type-I −to give a similar weakened definition.3.4Discussions on Our Choices for DefinitionIn addition to the formalisms,we explain the intuitions behind the choices made in formulating our defier key generation.In order to support more general applications like TRE,we also need to generalize our syntax describing the interface of the algorithms.A subtle change in our definition of algorithm descrip-tion is that the user key generation algorithm KeyGen only takes the system parameter as input but not the identifier.In particular,there exists CLE schemes [4,36,42,44]which the inclusion of the identifier or the trapdoor for an identifier is essential for the generation of the user public key.In the latter case,KeyGen can only be executed after Extract .A straightforward adaption of these classes of CLE results in inefficient TRE in which the size of the user public key grows linearly with the total number of supported time periods.6Simplification of Type-I adversary.In most existing models for 1-level CLE (e.g.[24]),ExtractO query of # »ID ∗is allowed;but if such a query is issued,the challenge public key pk ∗can no longer chosen by the adversary.In our discussion,we try to separate this from Type-I model and consider this type of adversarial behavior (ExtractO query on (# »ID )where # »ID is a prefix of # »ID ∗)as a weaker variant of,and hence covered by,a Type-II adversary.It is true that our resulting definition for Type-I adversary is weaker [23,Section2.3.5].However,the “missing part”will not be omitted from the security requirement since it is unreasonable to define a CLE without considering Type-II adversary.Indeed,this simplification has already been justified and adopted [33,Section 2.3].Implicit public key replacement.In our generalization of CLE,we “remove”the oracle for replacing the public key corresponding to an identifier,which is present in the existing model for CLE.This may make a difference in the following.1.The adversary’s choice of the victim user it wishes to be challenged with,2.The choice of user in decryption oracle queries.Our model still allows the adversary to choose which identifier/public key it wants to attack.For decryption queries,the adversary can just supply different combination of identifier and public key to the DecO S and DecO U oracles.In this way,implicitly replacement is done.In other words,when compared with the original model [2],the security model is not weakened,but generalized to cover applications of CLE such as TRE.Reason for “removing”public key replacement oracle.In the traditional definition of CLE [2],public key replacement oracle is defined upon the fact that an identifier is always bound to a particular user.Replacing a particular user’s public key means the public key associated with a particular identifier should be changed.In TRE,and other related paradigms such as cryptographic workflow [1],identifiers correspond to different policies governing the decryption.It is entirely possible that a single identifier is “shared”among more than one user.Hence we decide to remove the public key replacement oracle from the definition,resulting a model free from the concept of “user =identifier”.Alternative definition of public key replacement.It is possible to give another definition supporting TRE (and cryptographic workflow [1])by allowing a “restricted”public key replacement,such that a public key “associated”with an identifier can be replaced by a public key associated with another identifier,but not an arbitrary one supplied by the user.Again,this definition makes the model still leads to the concept of an identifier is belonged to a single user.Moreover,this definition may make the treatment of strong decryption oracle more complicated.The idea of restricted replacement among a fixed set of public keys does not naturally correspond to decryption oracle under adversarially chosen public key.SMCLE is more general than plain CLE.Having two separated decryption oracles in the SMCLE model gives a more general notion than CLE.This can be justified as follows:1.Partial decryption result cannot be made available in the CLE model.There exists CLE schemes which are not secure when the adversary is given accesses of a partial decryption oracle [21].2.Since the decryption oracle is separated into two,the SMCLE model does not have the notion of a “full”private key which is present in previous CLE models (a full private key is a single secret for the complete decryption of the ciphertext).On the ground that separated secrets can always be concatenated into a single full one,this simplification (of private key)has already been adopted in more recent models [33].Difference with the previous SMCLE definition.In our user decryption oracle,different invalid flags will be returned by DecO U to distinguish the case that the token from the SEM is invalid or the ciphertext is invalid.This is not captured by the original SMCLE model in [21].We remark that it is possible to incorporate such feature into the concrete scheme in [21]by an interactive proof-of-knowledge,which can be easily turn to non-interactive assuming random oracle.7User decryption oracle in SMCLE.One of the restrictions for excluding trivial attack in our Type-II adversary model disallows the challenge ciphertext C ∗to be decrypted by the decryption oracle under the challenge public key and a token D outputted by the algorithm (not the oracle)Dec S (C ∗,ID ∗),where ID ∗is the challenge identifier.This restriction requires the ability to check if a token D is a valid token corresponding to a ciphertext and an identifier,which is ensured by our new SMCLE definition.From the first glance,our security definition is tightly coupled with the ability to check the token.However,we think that it is natural for the user to be able to perform such a test (which is especially important if the user need to pay for each SEM decryption).Even there is no explicit testing algorithm,it maybe possible that the challenger can setup the system in a way that it can do the test for the challenge ciphertext.It is also possible to weaken the definition such that no user decryption query is allowed for the challenge ciphertext under the challenge public key,no matter what the token is.Justifications for our definition of hierarchical CLE.In the hierarchical scheme suggested (without a security definition)in [2],an entity at level k derives a trapdoor for its children at level k +1using both its trapdoor and its secret key;while in our proposed model,a level k entity only uses its trapdoor obtained from its parent at level k −1to derive keys for its children.However,we do not see any practical reason for requiring the secret key in the trapdoor derivation.On the other hand,the resulting scheme will be more complicated.For example,in the scheme of [2],the decryption requires the public keys of all the ancestors.Note that we do allow the decryption of the ciphertext under # »ID which is a prefix of # »ID ∗.This is stronger than the counterpart in some hierarchical IBE model [30].Our definition is more general than plain CLE.The following theorem summarizes our discussion.Theorem 1If there exists an 1-level SMCLE scheme which is secure under Definition 3and 4,there exists a CLE scheme which is secure under the definition of [2].Proof.We describe how to build a simulator which make use of an adversary of CLE to break the security of our 1-level SMCLE scheme.The simulator basically forwards everything (the system parameters,the oracle queries and responses)back and forth between its own challenger (of breaking SMCLE)and the CLE adversary.For most queries,the monotonic details are omitted.The complete decryption queries made by the CLE adversary is entertained by combining the result of two partial decryption oracle queries.An important distinction between these “two worlds”is about public key replacement.The simulator needs to maintain a table to store the relationship between an identifier and a public key.Whenever a key replacement query is made,the simulator updates its own table.For every other requests regarding a particular identifier,the simulator retrieves the corresponding public key in its table and queries its own challenger accordingly. 4Our Proposed Construction 4.1PreliminariesLet G be a multiplicative group of prime order p and G T be a multiplicative group also of order p .We assume the existence of an efficiently computable bilinear map ˆe :G ×G →G T such that1.Bilinearity :For all u,v ∈G and r,s ∈Z p ,ˆe (u r ,v s )=ˆe (u,v )rs .2.Non-degeneracy :ˆe (u,v )=1G T for all u,v ∈G \{1G }.We also assume the following problems are intractable in such groups.Definition 5.The Decision 3-Party Diffie-Hellman Problem (3-DDH)in G is to decide if T =g βγδgiven (g,g β,g γ,g δ,T )∈G 5.Formally,defining the advantage of a PPT algorithm D ,Adv 3−DDH D (k ),as|Pr[1$←D (g,g β,g γ,g δ,T )|T ←g βγδ∧β,γ,δ$←Z ∗p ]−Pr[1$←D (g,g β,g γ,g δ,T )|T $←G ∧β,γ,δ$←Z ∗p ]|.We say 3-DDH is intractable if the advantage is a negligible function for all PPT algorithms D .8。
基于SM2的无证书加密算法
密码学报 ISSN 2095-7025 C N 10-1195/TNJournal of Cryptologic Research , 2021, 8(1): 87-95©《密码学报》编辑部版权所有.E -m a i l : j c r @c a c r n e t .o r g .c n h t t p ://w w w .j c r .c a c r n e t .o r g .c n T e l /Fax : +86-10-82789618基于SM 2的无证书加密算法深圳奥联信息安全技术有限公司,深圳518000通信作者:程朝辉,E-mail: *****************摘要:无证书密码系统中无需证书来管理公钥,同时没有标识密码系统中的密钥委托功能.本文描述 一种基于S M 2加密算法构造的无证书加密算法,并在随机谕示和代数群模型下证明其安全性可以规约到 G ajvD iffie-H ellm an 复杂性假设.因此构造的算法具有可证明安全性,并可基于已有S M 2算法部件快速 部署等优势.采用该算法的密码系统具有简洁的密钥管理、高效的算法实现,非常适合物联网等需要轻量 级公钥算法的应用场景.关键词:无证书公钥密码;SM2中图分类号:T P 309.7文献标识码:A D O I : 10.13868/ki.jcr.000422中文引用格式:程朝辉.基于S M 2的无证书加密算法[J ].密码学报,2021,8(1):87-95. [DOI: 10.13868/ki.jcr.000422]英文引用格式:CHENG Z H. Certificateless public key encryption based on SM2[J]. Journal of Cryptologic Research, 2021, 8(1): 87-95. [DOI: 10.13868/ki.jcr.000422]C e rtific a te le s s P u b lic K e y E n c ry p tio n B a s e d o n S M 2C H E N G Z h a o -H u iShenzhen OLYM Information Security Technology Co. Ltd., Shenzhen 518000, ChinaCorresponding author: CHENG Zhao-Hui, E-mail: *****************Abstract : A s y s t e m b a s e d on c e r t i f i c a t e l e s s p u b l i c k e y c r y p t o g r a p h y (CL -P K C ) h a s s u c c i n c t p u b l i c k e y management w i t h o u t u s i n g c e r t i f i c a t e s , and ca n e x c l u d e t h e k e y -e s c r o w f e a t u r e i n h e r e n t i n t h e i d e n t i t y -b a s e d c r y p t o s y s t e m . T h i s p a p e r p r e s e n t s a c e r t i f i c a t e l e s s p u b l i c e n c r y p t i o n (CL -P K E ) b a s e d on t h e S M 2 e n c r y p t i o n a l g o r i t h m . The s e c u r i t y o f t h e p r o p o s e d scheme i s p r o v e d b a s e d on t h e Gap - D i f f i e -H e l l m a n a s s u m p t i o n i n t h e random o r a c l e and a l g e b r a i c gr o u p model . Hence , t h e scheme h a s p r o v a b l e s e c u r i t y and c a n b e d e p l o y e d b a s e d o n e x i s t i n g S M 2 i n f r a s t r u c t u r e . I t o f f e r s c l e a r a d v a n t a g e s i n t h o s e s y s t e m s s u c h a s IoT , w h i c h r e q u i r e l i g h t w e i g h t p u b l i c k e y a l g o r i t h m s .Key words : c e r t i f i c a t e l e s s p u b l i c k e y e n c r y p t i o n ; S M 2i 介绍无证书公钥密码体制的代表有1991年Girault 提出的自认证公钥密码(也称“隐式证书”密码: I m p l i c i t -C e r t i f i c a t e -B a s e d C r yp to gr ap hy 丨1丨,后文统一使用此称谓)和 A l -R i y a m i 与 P a t e r s o n 在 2003 年提出的无证书公钥密码(C e r t i f i c a t e l e s s -P u b l i c Key Cryptography , A P -CL -P K C ) •这种密码体制介 于传统证书公钥体制和标识密码体制[3)之间.在这种密码体制中,用户私钥由两个秘密因素决定:一个是收稿日期:2020^02-06 定稿日期:2020-05-0788Jo«maZ 〇/Crj/ptoZogic i?esearcA 密码学报 Vol.8, No.1,Feb.2021由用户自己生成的密钥,另外一个是从密钥生成中心(Key G e n e r a t i o n C e n t e r,K G C)获取的与用户身份 (以及可能的用户密钥信息)相关的密钥.从一个秘密因素不能计算另一个,即密钥生成中心不能计算出用 户生成的部分密钥,用户也计算不出密钥生成中心生成的部分密钥.因此无证书密码系统没有密钥托管的 功能.无证书密码保证即使攻击者成功地使用自己选择的公钥替换了被攻击者的公钥,攻击者仍然无法伪 造被攻击者的一个有效签名,或者解密一段试图加密给被攻击者的密文信息.采用隐式证书的密码机制一直没有严格的安全模型,构造的算法均采用启发式方法进行分析,没有严 格的安全性分析.因此出现采用隐式证书的密码系统被发现存在攻击的现象14i.A l-Riyami和P a t e r s o n 在2003年提出无证书的密码体制M后引起广泛的关注.学术界进行了大量的安全模型理论研宄并构造 了一系列包括无证书加密算法、签名算法和密钥交换协议等的安全机制,如文献[2,5-7]等(更多的相关 文献可见文献问中的回顾).A P-CL-P K C中密钥生成函数定义的特性使得这类模型无法覆盖采用隐式 证书的密码机制.按照A P-CL-P K C模型生成的密钥对难以结合标准密码算法使用.文献丨8j成功地将这 两个原来不相容的无证书密码体制统一起来,并同时获得两种机制的优点,从而能够基于标准算法构建安 全性可严格证明的无证书签名机制.文献间的全文给出了无证书签名机制和无证书加密机制的算法模型 和安全定义,并给出了基于标准算包括E C D S A、S c h n o r r、S M2等构造的无证书签名机制.进一步地,文 献間中给出了基于标准协议的无证书密钥交换协议和基于ElGamal算法的无证书加密机制的构造,但 未给出这些机制的安全分析.本文采用文献[8]中的密钥生成方法结合S M2加密算法来构造无证书加密算法并分析其安全性.文献间中的密钥生成算法为基于Schnorr签名算法的变形M l并结合S M2签名算法中的标识信息 预计算后形成的(后文称之为增强的P H密钥生成方法).标识信息预计算包括了 K G C的公钥信息作为 Schnorr签名中消息的密钥前缀.P H密钥生成方法构造的无证书密码算法的公钥计算和私钥正确性验证 过程都具有高效率.特别是在可预计算系统主公钥的情况下(系统初始化后系统主公钥就确定了,因此在 大多数情况下都可进行系统主公钥预计算),P H密钥生成方法中的用户公钥计算和用户私钥正确性验证 过程比E C Q V 1121方法相对应的过程都更高效(工程实现证实可快6倍以上因此这样构造的无证书加密算法整体可有更高效率的实现.但是,即使经过密钥前缀化增强的P H密钥生成方法也不能保证其具有 通用组合性:和任一安全的离散对数公钥算法进行组合构成安全的无证书机制.文献间显示该方法不能 直接和E C D S A组合来构造安全的无证书签名机制.就我们所知,目前这一类密钥生成机制和公钥加密算 法组合的安全性也没有相关形式化的分析.比如E C Q V标准1121中就提出:E C Q V和ECIES组合形成 的公钥加密机制的安全性没有相关的形式化分析.因此这类算法的安全性是一个值得研宂的重要问题.本 文的主要贡献是证明P H密钥生成方法+S M2这种简洁的组合形成的加密算法的安全性,从而得到一个 安全、高效、基于S M2的无证书加密算法.另外,文中的安全模型和方法也可以用于分析ECQV+ECIES 算法组合的安全性.在合理安全模型下就公钥算法的安全性进行形式化分析对公钥算法的安全性评估非常重要.一些重 要的标准化组织如I SO等要求一个算法在被考虑纳入标准前必须有公开发表的形式化安全分析.就我们 所知,本文是第一篇对这类基于标准算法构造的无证书加密算法进行形式化安全分析的文章.我们希望本 文可为这类算法的安全性评估和标准化工作提供有益的参考.2无证书加密算法模型2.1无证书加密算法定义根据文献间,无证书加密算法由以下一系列函数构成:•C L.Setup(l f c):给定安全参数f c,该函数初始化无证书密码系统,生成系统主公钥和主私钥 (M p t,A f s t).该函数由K G C执行.•C L.Set-User-K ey(A V):该函数生成用户部分公钥和部分私钥(W,a:A).•C L.Extract-P a r t i a l-K ey(M pf,M st,I D_4,该函数由 K G C 执行,为用户生成 K G C 部分 公钥和部分私钥(M/_4,d A).•C L.Set-Private-K e y(M pt,ID.4,t/y i,u,W% 心):该函数生成用户的完整私钥s a.程朝辉:基于SM2的无证书加密算法89•CL.Set-P u b liC-K ey(Mpt,ID山心,W、):该函数生成用户“声明”的公钥在隐式证书密码系统中也称为公钥还原数据).•C L.E n c r y p t(A/pt,ID a,m):该函数对消息m进行加密,生成密文C.•C L.D e c r y p t(M pt,ID a, &,s a,C):该函数解密密文(7,输出m或终止符丄.2.2无证书加密算法安全模型文献间中给出了无证书加密算法定义对应的安全模型.模型由两个游戏构成,分别对应两类不同的攻击者:类型-I攻击者是普通的攻击者,他试图冒充被攻击者获得其私钥或者获取明文相关信息.类型-I I 攻击者是好奇的K G C.这类K G C试图在不留痕迹的情况下冒充某个被攻击者获得其私钥或者获取明文相关信息.下面给出具体的安全定义.图1是无证书加密算法安全性定义的两个游戏(选择密文攻击下的不可区分性,I N D-C C A).其中p为 攻击者的状态.游戏中攻击者向谕示O eij请求如下的询问:•C L.Extract-Partial-K e y(Afpt,M sf,IDj,谕不执行C L.Set-Public-K e y(A/pt.ID.4, L U,W a)获得P a,将(n u,h)加入集合Q后返回(W t,d_4).•C L.G e t-Public-K e y(M pe,IDx,b N e w K e y):如果 b N e w K e y 是 true,则谕示顺序执行C L.Set-U s e r-K e y,C L.Extract-Partial-K e y,C L.Set-Private-Key和 C L.Set-Public-K e y,将 (ID.4,尸A,以,SA)加入集合L中,将加入集合P中,返回如果b N e w K e y是false,则 查询集合L中对应IDA的最新元素,返回其中的仏..C L.G e t-Private-K e y(M pe,IT>A,P A)-.谕示在集合L中查询(ID a P a)对应的元素,将 (ID a,/^)放入集合S i后返回S j4.•C L.G e t-U s e r-K e y(M pf,ID a,P a):谕示在集合 L 中查询(H U,P a)对应的元素,将(ID_4,P U)放入集合S2后返回.C L.D e Crypt-M e SSa g e(A/pt,ID_4,_P4,C):谕示在集合L中查询(IDA,P A)对应的元素,使用 s a对密文C进行解密,在将(ID^P^C)放入集合D后返回解密结果.如果查询集合]L的过程 中未查到相关元素,则使用属于IDA的最新s a解密C返回结果.在上述查询集合L的过程中,如果未查到相关元素,则返回错误.游戏1:类型-I攻击者1. (Mpt,Mse)—C L.S etu p(lfc).2. (ID^,P*,mi,m2,p)'(-^l/5f J(^p E)-3. C* — CL_Enc(Mpt, ID*, A, m b),其中随机数6 卜{0,1}.o i4. (Mpe, ID,,P»,m i,m a,C*,p).5•当6 = «/,(ID*,P*) ^S i U Q且(ID*,P*,C*)赛 D,则成功.游戏2:类型-I I攻击者^1. C L.S etu p(lfc).〇22. (ID…, P*,mi,m2,p)-<-^4//C L1(MP t, Mst).3. C* — CL.Enc(A^pe, ID*, _P*,mb),其中随机数6 <—{0,1}.4. b'^—A j p^M p t,M si, ID», P*, mi, m2, C*, p).5.当b=6',凡 G P, (ID”P*)穿 &U S2 且(ID*,P—C1*)穿©,则成功.图1无证书加密算法安全性定义Figure 1Security definition of C L-P K E90•/owraaZ 〇/OypZoZogz'c/Jesearcft 密码学报 Vol.8,No.l,Feb.2021文献[2]中的模型支持C L.Replace-Public-K e y(K U,P.4)这样的请求来模拟攻击者替换公钥的攻击行为.文献间中的签名算法安全模型未显式地支持替换公钥请求,而是允许攻击者生成对其选择的ID*和公钥尺有效的签名来贏得游戏.采用这样的定义方式是因为无证书公钥签名算法可以工作在标识签名算法模式,即签名用户不发布声明的公钥,而是将其公钥尸4作为签名值的一部分进行传递.在这样的系统中没有公钥发布的部件,因此文献间中的安全模型在保持模型有效性的同时.具有更好的场景适应性.为了保持模型的一致性,加密算法安全模型也未显式地支持公钥替换请求,而是在第3步中 C L.E n c(A/pt,ID,.K,m6)允许攻击者指定凡,第 2 步和第 4 步中 C L.D e c r y p t-M e s s a g e(IDA,f U,C)请求允许攻击者指定尸4.游戏规则允许攻击者替换ID,的公钥为任意的凡来请求挑战密文C«,只要攻 击者未通过请求获取(ID*,A)对应的私钥且6 =V就算赢得游戏.容易看出,本文中模型与文献[2]中的普通攻击者模型的能力相同,特别是隐式地支持了文献[2]中的公钥替换请求.在文献[2j中模型下,公钥替换请求不影响谕示对C L.G e t-Private-K e y请求(文 献[2]中模型不要求正确返回被替换公钥后对应的私钥)和C L.Extract-Partial-K e y请求的响应.在标准解密请求的安全模型下,谕示就像标准的解密方一样,使用其拥有的私钥解密密文,而不关心密文的生成过程是否使用了替换过的公钥.因此这种情况下,文献丨21中的公钥替换请求只对挑战的加密过程有意义.文中模型中要求谕示在使用攻击者自行选择的公钥加密m6的情况下,攻击者仍 然无法以不可忽略的优势赢得游戏.显然文中的安全模型和文献丨2]—样有效地体现了对实际攻击的安全要求,包括试图通过替换公钥来获得密文后尝试获得明文相关信息的攻击行为.注意,在模型中攻击者根据类型的不同,获取(ID*,A)对应的私钥的方法有所不同.类型丨攻击者可通过€^上乂1;1'£1(:<> Partial-K e y(M pE,M st,ID,,队)请求间接获取或通过C L.G e t-Private-K e y(M pt,ID*,P*)请求直接 获取(ID*,P*)对应的私钥.类型II攻击者可通过C L.G e t-U s e r-K e y(M pt,ID*,f>.)请求间接获取或通 过C L.G e t-Private-K e y(A V,ID*,K)请求直接获取(ID*,凡)对应的私钥.文献中还有两种理论意义上更强的解密请求.解密请求类型1 谕示O elj需要在没有私钥的情况下,成功解密任意解密请求中的密文,包括替换公钥后产生的密文.这种安全要求具有理论上的意义,与 现实环境中的用户解密的行为不同.本文安全模型不考虑该请求(实际上,在随机谕示模型下基于G a p 类型的安全性假设,这类解密请求也可实现).解密请求类型2 攻击者提供替换公钥对应的部分私钥,谕示使用攻击者提供的部分私钥和另外一部分私钥进行解密.本文中的算法中用户只存储一个私钥值,因此这类攻击不适用于本文中的算法(本文模型对类型II攻击者支持C L.G e t-U s e r-K e y请求 只是为了兼容文献[2]中模型的请求.对于本文中的算法,恶意K G C通过记录C L.Extract-Partial-K e y 的过程并通过 C L.G e t-Private-Key 获得完整用户私钥就可自行计算谕示对C L.G e t-U s e r-K e y 的响应).文献[14]中定义了一个针对类型I I攻击者的模型来模拟K G C在执行C L.S e t u p过程中 设置门限的情况.如文献[5]中所述,我们可以简单地使用可验证密钥生成方法击败系统初始化过程的门限攻击.因此,为了分析的简洁性,本文不考虑这种类型的攻击.设上述两个游戏中攻击者的优势为A d v=丨 2(P r[成功]-1/2)I.定义1若游戏1和游戏2中的两类多项式时间攻击者和乂…的优势都可忽略的小,则无证书加 密算法是安全的.3基于SM2的无证书加密算法3.1无证书加密算法描述算法前,首先介绍一下标记.表示从集合中随机选取;丨|表示拼接;对于一个椭圆曲线的点G,:r G和y G分别对应点G的;E轴和2/轴;//为选择的哈希算法,如S M3; p与<7为素数;为素数域;(J 为选择椭圆曲线点群的阶;[a]G表示G的倍点运算;K D F为基于哈希算法的密钥派生函数.C L.S e t u p(l f c)1.K G C生成随机主私钥M s t =s%.2. K G C选择系统参数,包括椭圆曲线£/F p相关参数和生成元G,并计算主公钥P KC3c =M G.系统参数为 M p t = (E/F p :Y2 =X3 +a J>f +b,p,<?,G,P K GC = [s]G).程朝辉:基于SM2的无证书加密算法91•C L.Set-User-Key(A f p f)1. X A ^-R•2. U a=[x a]G.3•输出(L^4,x a).•C L.Extract-P a r t i a l-K ey(M p t,A f s t,ID.4,U a)1.Z =i M l D L l l K U l l a l l b l l x G l I y G t P K G c l l^KGc).(此处 Z 的计算和 S M2 签名算法中的 Z 计算过程相同.I D L是IDA的比特长度)2.w E r Z*.3. X =[w]G.4.W=U A+X= [x a]G+5. A =//2(x w||2A v||Z).6. t =(w X - s)m o d q.7.输出(&=州,心=亡).•C L.Set-Private-K ey(M p t,ID^, U a,x a,W a,1. s a={x a+dA) ={x a w X ■s)mod q.•C L.Set-Public-K ey(M pe,ID A,U A,W A)1. P a= W a=[x a]G + [w]G.•C L.Calculate-Public-K ey(M p t,ID.4, P a)1.Z= //i(ID L||lD A||a||6||x G||yG||xpKGC||2/p K G C).2. 入=//2〇^||?^||幻.3. 〇a= P a[A]P k g c-•C L.Ve ri fy-K ey(M p e,ID^, P a,s a)1.Z = //i(I D L||ID^||a||6||xG||2/G||xpK G c l l^KGc)*2.A=H2(xpA\\ypA\\Z).3. P A=[s^]G-[A]P k g c.4. 如果尸4 = /^则有效,否则无效.•CL.Encrypt(Mpt,ID>i,P a,rn)1. Z=i/i(I D L||ID A||a||6||xG||2/G||xpKGC||ypKGC).2.\ =H2{xpA\\ypA\\Z).3. 〇a= P a[A]P k g c-//以下步骤为S M2加密过程:以O a为公钥来加密消息m.4.r e R Z*q.5.C i = [r}G.6. Q =[r]〇A-7.f=K D F(x Q\\yQ).8. C2=m 0 /.9. C3 =H(xQ\\m\\yQ).10.返回 S M2 密文 C= ((^,(72,(73).•C L.Decrypt(A f p t,ID^, P A,s a,C)//以下步骤为S M2解密过程:以s a为私钥来解密密文C获得明文.1. Q =[s a]C\.2.f =K B F(x Q\\yQ).92JowmaZ 〇/O j/p^oZogic /Jesearc/i 密码学报 Vol.8, No.1,Feb.20213. 771 =C2©/■4. C3 =H(x Q||7n||yQ).5. 如果G =C3,则输出m,否则输出丄.3.2算法安全性分析S M2加密算法的安全性可以规约到以下Gap-D i f f i e-Hellman丨G D H)复杂性假设.上述无证书加密算 法的安全性也可规约到同一复杂性假设.定义2 G D H复杂性假设:给定一个阶为g的循环群〈G>上的一组元素(G,[a]G,问G)和一个D H 判定谕示D D H(给定(X,[a]G,[b]G)可以判定X是否等于[a b]G),计算[a/3]G是困难的,其中a,0ZJ.下面的安全性证明过程中使用到代数群模型(A l g e b r a i c Group Model,A G M) 1151.A G M要求 攻击者在输出群上元素时,同时给出该元素基于目前所见群元素的表达.例如攻击者在获得D H问题(0,[〇]0,[/9]0)后,计算出了=[〇:/3]0,同时给出该元素的表达乏=〇?,5,幻62〗,满足7'=闲G + [i][a]G +R P I G.相比标准模型,A G M对攻击者的要求更多,但是对比一般群模型(G e n e r a l Group Mode,G G M) [161,其要求则更少.因此在A G M中证明的结果在G G M中直接成立.后文中我们 使用:Ts表示具有表达5的元素T.证明中并不要求攻击者产生的所有群元素都提供表达,无需表达的元 素仍采用普通标记.定理1在随机谕示和代数群模型下,对于基于S M2的无证书加密算法,如果存在一个多项式时间攻 击者以不可忽略优势贏得类型I或者类型II的游戏,则存在一个多项式时间的算法可以求解G D H问题.证明:算法中有四个哈希计算(K D F也是基于哈希的计算),下面分析过程将其模拟成四个不同的随 机谕示.这四个计算中的哈希计算过程输入取值空间不同,可以自动区分为不同的哈希操作.随机谕示可 采用安全的哈希算法如S M3算法实现.下面分别对这两类游戏进行分析.类型I的游戏:假定攻击者成功赢得类型I游戏的优势为e(f c).给定一个G D H问题 (0,[〇]0,[/3]0),游戏模拟者3维护-个格式为<1仏,巧,队而,必4,职〉的列表1'(1'将代替2.2规定 的集合L的作用,游戏中的其他集合按2.2描述的方式管理),采用如下方式回答攻击者乂:的询问:.C L.S e t u p f):设置PKGC = [a]G,M s f =-,并将M pt提供给攻击者(系统主私钥实际为a).•C L.Extract-P a r t i a l-K e y(A f p t,M s t,ID,.[/t Z i):随机选择叫,入;Z;,计算取=+—[A i]fkGC,设置丑2(〇:取||2/狀||厶)=A i.如果己经设置了,则重选Wi,Ai再执行;将〈IDM取,[7,,-,职,—,Wl〉放入列表T,返回(奶,《 =职).这里仅记录G的表达為以便于最后计算G D H,并未特殊利用这一额外的信息来生成响应(撕;,(=这个响应和采用Q作为主私钥正常返回(I V; = [Wi]G+t/i,t=(职+Aia)mod (?)对攻击者-4i是不可区分的.•C L.Get-PubIic-K e y(A;f P f,ID4,bNewKey):如果 bNewKey 是 f a l s e,则在公钥列表查找对应ID,•的最新表项中的P,:.如果未找到,则返回空.如果bNewKey是t r u e,-随机选择而,计算取=M G+^jG-p^PKGc,设置H2(r c恥|丨2/的||厶)=A<.如果/^2(〇;1^||3;的||石)己经设置了,则重选再执行;否则将〈取,取,队而,6(,:,2^ +土,助〉放入列表T,返回巧=恥..C L.Get-Private-K e y(M p f,ID+P^):如果T上无(ID,,^)索引的表项,则返回错误;否则返回对应的•C L.Get-User-K e y(M pt,K U,f>4):如果T上无(1队,巧)索引的表项,则返回错误;否则返回对应的A.•//1(IDz JIDt||a||6||;rG||2/G||zFkGC||j/P K G C):按照标准随机谕示返回.•H2〇c則丨2/則|幻:按照标准随机谕示返回.•//3(z<5||2/(3):按照标准随机谕示返回.•i^O r Q l l m l l j/Q):按照标准随机谕示返回.•C L.Decrypt-M e S sage(M p t,;IXU,P儿C1):根据(I D i,A)查找T是否有私钥如果有,则使用s,解密,返回结果;否则使用D D H谕示检查请求响应列表中所有的是否存在一程朝辉:基于SM2的无证书加密算法93个込满足仏=D H K i,尸_4 +AA[a]G).如果成功找到一个Q z,则使用计算m 并使用校验(73,并按照正常操作返回;否则返回丄;•C L.Encrypt-Message(A/p t,10*,/^*,爪6):设置 G =间G,利用 D D H 谕示检查迅和迅上的数据是否有Q z满足Qz =D H(间G,R + [A*][a]G),A* = /^(a^UyAI丨Z*).若无,则随机生 成C2和C3,返回密文;否则根据己有//3和丹4数据返回密文.•攻击者儿返回6'后,使用D D H谕示检查//3〇rQ||j/Q)请求列表中所有的Q,是否存在满足Qz =DH([/3]G,A+[A*][a]G).如果找到一个&满足等式,按照后文的方式计算G D H的解;否则模拟者5■失败丨事件1).首先分析<5成功的概率.因丑3是随机谕不,Pr[乂丨成功]=P r M!成功|事件1]Pr[事件1] +Pr[A成功卜事件l j Pr卜事件1]<1/2(1 —Pr卜事件 1])+Pr卜事件 1] = 1/2 + 1/2 Pr卜事件 1]另外Pr[-4】成功]成功丨事件l]Pr[事件1]=1/2(1 - P r卜事件 1])=1/2 —1/2 Pr 卜事件 1]因此P r[S成功1=Pr卜事件1] 2e(fc)下面说明S能够根据(G J N G,[用计算[a/3]G.在整个游戏中,4收到的群〈G>中的元 素有(G,[a]G,[/3]G,恥)(儿还可以通过观察密文获得更多的群元素C V因IND-C C A模型不显式描述 一般消息的加密过程,并且标准密文的G都是基于G的代数运算,攻击者可以自行模拟,不影响后面分 析结果.这里不再讨论G).其中间G出现在只f*前的概率可以忽略的小.因此根据A G M模型,Pf*是(G,[a]G,V^)代数运算的结果.设加密挑战C L.Encrypt-Message^/piIDhff'm6)前生成了 K 个%,ff*具有如下的形式:P:' = [5](3+ [«][〇](7+^^]^,2; =,z K)G Zf+2j=i可以看到,在游戏中C L.Extract-P a r t i a l-K e y和C L.Get-Public-K e y生成W i的过程分别是基于(G,[a]G,£/;)以及(G,[a]G)的代数运算.在加密挑战前,C L.Extract-Partial-Key中t/f‘的表达勾 是基于(G,[a]G,U〇)(0 <<i)的,其中R的表达基于(G,[a]G)•因此厶结合&和T上信息可以变换为(i j)满足 R = [i]G+㈤[a]G.进一步有 Q* =D H([i]G+ 闳 H G+ [A*][a]G,间G).5 根 据(i,幻,当Q+;U)mod g#0时,计算G D H的解为(Qz —闳间G)1"4#*).因H2是随机谕示,且 = ^(r E P o l l y f t l l Z*),给定(■!+A») mod g = 0的概率可以忽略的小.若_4i获得A*后能计 算表达i l,其变换(t,v;)不同于(i,幻且满足凡=M G+M H G使得w = -A,,则可利用A求解 a=g mod即求解循环群〈G〉上的离散对数问题,进而求解G D H问题.注:为了简化分析,证明过程如果发生H u碰撞则选择重新执行相关随机过程.这里假定了模拟者可 以有效规避碰撞(在随机谕示模型中有限次数攻击下,随机谕示碰撞概率可忽略地小),但S的时间将会随 着碰撞概率的提高而增加.下面的游戏采用同样的方式处理.类型I I的游戏:假定攻击者>4n成功赢得类型II游戏的优势为e(f c).给定一个G D H问题 (G,M G,丨/3]G),游戏模拟者S选择一个整数0 <K g A T,其中i V是游戏中总共生成的公钥的个数 (实际上可以进一步缩小为攻击者未获取完整私钥和用户部分私钥的公钥个数).模拟者S维护一个格式94JowrnaZ 〇/C V^pZ oZ opie ■R esear'c/i 密码学报 Vol.8, No.1,Feb.2021为的列表T (T将代替2.2规定的集合L的作用,游戏中的其他集合按2.2描 述的方式管理),采用如下方式回答攻击者A的询问(该安全性规约未采用代数群模型):•C L.Setup(l f c):按照算法规定正常生成(PKGC = [s]G,M s e =s),并将输出提供给攻击者.•C L.Get-Public-K ey(M p t,I D.4,bNewKey):如果 bNewKey 是 f a l s e,则在列表 T 查找对应 ID,:的最新的表项中的乃.如果未找到,则返回错误.如果bNewKey是t r u e,-如果是T上第 K 次请求,执行C L.E x t^act-Partial-K e y(M pt,M sf,IDt,[a]G)获得(W^,d l I)和内部随机数w*以%,夂=//2(〇;州*|丨2/队|丨么),将〈ID,:,W^,[o:]G,-,d*,一放入T中,返回(该公钥对应的私钥为(a+w* +A*s)m o d g).—否贝1j,随机选择;C i G f l Z;,执行 C L.Extract-P a r t i a l-K ey(M P f,M s t,ID i,[;r i]G)获得(取,么)和内部随机数抑,将放入T中,返回恥.•C L.Get-Private-K ey(M p t,如果T上无(瓜,巧)索引的表项,则返回错误.如果对 应的表项Si所在位置为一,则终止游戏(事件1),否则返回S j =a;i+山mod g.•C L.Get-User-K e y(A f p t,比七朽):如果T上无(I D,,只)索引的表项,则返回错误.如果对应 的表项而所在位置为-,则终止游戏丨事件2>,否则返回./^(I D i l l l D i l l a l l b l l i G I l y G l l a^K G c l l j/PKGC):按照标准随机谕不返回.•按照标准随机谕示返回.•H3〇e<3丨按照标准随机谕示返回.•//ibQllmllyQ):按照标准随机谕示返回.•C L.Decrypt-Message(A V,I W i C1):根据(I D i,尸1)查找T是否有私钥s,.如果有,则使 用Si解密;否则-情形1:如果(I仏,巧)对应第K个C L.Get-Public-K e y请求返回的则使用D D H 谕示检查请求响应列表中所有的A是否存在A =Dllpi,丨a]G+丨W,+A,s|G).如果成功找到一个Qz,则使用开3(:r(3;t||yQ:c)计算m并使用校验C3,并按照正常操作返回;否则返回丄;-情形2:否则,返回丄(这里也可以进一步利用D D H谕示检查& =D H A,P a+P m s]G),并 根据结果如情形1进行解密).•C L_Encrypt-Message(M p t,ID»,_P*,m6):如果(I D t’A)不是第 K 个 C L.Get-Public-Key 请求对应的数据,则终止(事件3);否则设置= 1別G,利用D D H谕示检查//3和//4上的数 据是否有仏满足% =D H(间G,[a]G+卜+A*s]G),若无,则随机生成<72和C3,返回密文;否则返回(Qz — [w* +A*s]问G)为G D H的解.•攻击者<4…返回b'后,使用D D H谕示检查//3(;rQ||2/Q)请求列表中所有的Q,是否存在仏满足仏=D H(间G,[a+w*+A*s]G).如果找到一个仏满足等式,则返回(仏-批+M[/3]G)为G D H的解;否则模拟者S失败(事件4).若事件3不发生,则事件1和2不发生.类似于游戏1中分析,我们有:Pr[5成功]=Pr[_A…成功卜事件4八,事件3] 2e(f c)/W□4结论本文采用文献间中的密钥生成方法结合S M2加密算法构造无证书加密算法并在适当的安全模型 下对算法安全性进行了形式化分析.我们证明了文中的无证书S M2加密算法的安全性在随机谕示和代 数群模型下可以规约到Gap-D i f f i e-Hellman复杂性假设.过程中采用的安全模型和方法也可以用于分析 E C Q V+ECIES组合形成的无证书加密算法的安全性.文中的结果可以为这类算法的安全性评估和标准程朝辉:基于SM2的无证书加密算法95化工作提供参考.参考文献[1]G I R A U L T M. Self-c e r t i f i e d public keys[C]. I n:Advances in Cryptology—E U R O C R Y P T,91. Springer BerlinHeidelberg, 1991: 490-497. [DOI: 10.1007/3-540-46416-6_42][2]A L-F U Y A M I S S, P A T E R S O N K G. Cert ificateless public key cryptography[C]. I n:Advances in Cryptology—A S I A C R Y P T2003. Springer Berlin Heidelberg, 2003: 452-473. [DOI: 10.1007/978-3-540-40061-5_29][3]S H A M I R A. Identity-based cryptosystems and signature schemes[C]. I n: Advances i n Cryptology—C R Y P T O'84.Springer Berlin Heidelberg, 1985: 47-53. [DOI: 10.1007/3-540-39568-7__5][4]B R O W N D, C A M P A G N A M, V A N S T O N E S. Security of ECQV-certified E C D S A against pgissi ve adversaries[J].I A C R Cryptology ePrint Archive, 2009: 2009/620. https:///2009/620.pdf[5]C H E N G Z H, C H E N L Q, L I N G L, e t a l.General and e f f i c i e n t ce rtificateless public key encryption construc-tions[C]. I n:Pairing-based Cryptography-一Pairing 2007. Springer Berlin Heidelberg, 2007: 83-107. [DOI:10.1007/978-3-540-73489-5_6][6]Z H A N G Z F, W O N G D S, X U J, et a l.Cert ificateless public-key signature: Security model and e f f i c i e n t construction [C]. I n:Applied Cryptography and Network Security一A C N S 2006. Springer Berlin Heidelberg, 2006: 293-308. [DOI: 10.1007/11767480—2〇l[7]L I P P O L D G, B O Y D C, G O N Z A L E Z N I E T O J.Strongly secure ce rt if icateless key agreement[C]. In: Pairing-basedCryptography—Pairing 2009. Springer Berlin Heidelberg, 2009: 206-230. [DOI: 10.1007/978-3-642-03298-1 _14] [8]C H E N G Z H, C H E N L Q. Certificateless public key signature schemes from standard algorithms[C]. I n: Information Security Practice and Experience—I S P E C 2018. Springer Cham, 2018: 179-197. [DOI: 10.1007/978-3-319- 99807-7_ll].[9]C H E N G Z H, C H E N L Q. Certificateless public key cryptographic schemes from standard algorithms[EB/OL].2018. http://www.cpax.io/tech.html[10]G M/T 0003.4-2012. Public key cryptographic algorithm S M2 based on e l l i p t i c curves—Part 4:Public key encryption algorithm. 2012.2. S M2椭圆曲线公钥密码算法第4部分:公钥加密算法.2012G M/T U00:3.4-‘201‘[11]P E T E R S E N H, H O R S T E R P. Se l f-c e r t i f i e d keys—Concepts and applications[M]. I n:K A T S I K A S S. (eds) C o mmunications and Multimedia Security. IFIP Advances in Information and Communication Technology. Springer Boston, M A. 1997: 102-116. [DOI: 10.1007/978-0-387-35256-5一8][12]C E R T I C O M. S E C4: Ellipt ic curve Qu-Vanstone implicit certif ic ate scheme (ECQV). 2013.[13]C H E N G Z H. C O M L E Y R. Effi cient c e r t i f i c a t e l e s s public key encryption[J]. I A C R Cryptology ePrint Archive,2005: 2005/012. https:///2005/012.pdf[14]A U M H, M U Y, C H E N J,et a l. Malicious K G C attack in ce rt if icateless cryptography[C]. I n:Proceedings of the2nd A C M Symposium on Information, Computer and Communications Security (A S I A C C S 2007). A C M, 2007: 302-311. [DOI: 10.1145/1229285.1266997][15]F U C H S B A U E R G, K I L T Z E, L O S S J.The algebraic group model and i t s applications[C]. I n:Advances i nCryptology—C R Y P T O2018, Part I I. Springer Cham, 2018: 33-62. [DOI: 10.1007/978-3-319-96881-0_2][16]S H O U P V. Lower bounds for discrete logarithms and related problems[C]. I n:Advances in Cryptology一E U R O C R Y P T,97. Springer Berlin Heidelberg, 1997: 256-266. [DOI: 10_1007/3-540-69053-0—18]作者信息程朝辉(1976-),四川南充人,博士.主要研宄领域为密码技术与应用.*****************。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Certificateless Public Key Encryption WithoutPairingJoonsang Baek,Reihaneh Safavi-Naini,and Willy SusiloCentre for Information Security ResearchSchool of Information Technology and Computer ScienceUniversity of WollongongWollongong NSW2522,Australia{baek,rei,wsusilo}@.auAbstract.“Certificateless Public Key Cryptography”has very appeal-ing features,namely it does not require any public key certification(cf.traditional Public Key Cryptography)nor having key escrow problem(cf.Identity-Based Cryptography).Unfortunately,construction of Cer-tificateless Public Key Encryption(CLPKE)schemes has so far dependedon the use of Identity-Based Encryption,which results in the bilinearpairing-based schemes that need costly operations.In this paper,weconsider a relaxation of the original model of CLPKE and propose a newCLPKE scheme that does not depend on the bilinear pairings.We provethat in the random oracle model,our scheme meets the strong securityrequirements of the new model of CLPKE such as security against publickey replacement attack and chosen ciphertext attack,assuming that thestandard Computational Diffie-Hellman problem is intractable.1IntroductionMotivation.Consider a situation where Alice wants to send a confidential mes-sage to ing a public key encryption(PKE)scheme,Alice needs to obtain Bob’s public key and encrypts her message using this key.When this operation is performed correctly,then only Bob who is in possession of a private key matched to his public key can decrypt the ciphertext and read the message.One direct implication of this mechanism is an assurance that Bob’s public key is authen-tic.In the normal Public Key Cryptography(PKC),this assurance is obtained via certification by a Certification Authority(CA).More precisely,the CA digi-tally signs on Bob’s public key and the“Digital Certificate”which contains the resulting signature and the public key should be checked against the CA’s pub-lic key by any interested party.However,the realization of this authentication mechanism called“Public Key Infrastructure(PKI)”has long been a concern for implementers as the issues associated with revocation,storage and distribution of certificates must be resolved.On the other hand,a very different approach to the above authenticity prob-lem in public key cryptography was made by Shamir[16].In this new approach named“Identity-Based Cryptography(IBC)”,every user’s public key is just J.Zhou et al.(Eds.):ISC2005,LNCS3650,pp.134–148,2005.c Springer-Verlag Berlin Heidelberg2005Certificateless Public Key Encryption Without Pairing135 his/her identity(identifier)which is an arbitrary string such as an email address while the corresponding private key is a result of some mathematical operation that takes as input the user’s identity and the secret master key of a trusted au-thority,sometimes referred to as“Private Key Generator(PKG)”.Notice that in this setting,certification of the public keys is provided implicitly based on the fact that if the user has obtained a correct private key associated with the published identity,he/she will be able to perform some cryptographic operations such as decrypt or sign.Hence,it is no longer necessary to explicitly authenticate public keys,i.e.verifying the digital certificates of the public keys,as in the tra-ditional PKI setting.However,an obvious drawback of IBC is an unconditional trust that must be placed to the PKG,as the PKG can always impersonate any single entity as every user’s private key is known to the PKG.In order to resolve the above escrow problem in IBC while keeping the im-plicit certification property of IBC,a new paradigm called“Certificateless Public Key cryptography(CLPKC)”was introduced by Al-Riyami and Paterson[1].In CLPKC,the user’s public key is no longer an arbitrary string.Rather,it is similar to the public key used in the traditional PKC generated by the user. However,a crucial difference between them is that the public key in CLPKC does not need to be explicitly certified as it has been generated using some“par-tial private key”obtained from the trusted authority called“Key Generation Center(KGC)”.Note here that the KGC does not know the users’private keys since they contain secret information generated by the users themselves,thereby removing the escrow problem in IBC.Therefore,it is sometimes said that CLPKC lies in between PKC and IBC. However,it should be emphasized that so far“Certificateless Public Key En-cryption(CLPKE)”schemes have been constructed within the framework of Identity-Based Encryption(IBE)schemes proposed by Boneh and Franklin[5], and Cocks[7].As a result,the CLPKE schemes in the literature had to be based on either the bilinear pairings or somewhat inefficient IBE scheme proposed in [7].In spite of the recent advances in implementation technique,the pairing com-putation is still considered as expensive compared with“standard”operations such as modular exponentiations infinitefields.According to the current MIR-ACL[12]implementation,a512-bit Tate pairing takes20ms whereas a1024-bit prime modular exponentiation takes8.80ms.Also,it is known that Cock’s IBE scheme[7]uses bit-by-bit encryption and hence outputs long ciphertexts.Being aware of the above problem of the current constructions of CLPKE,we focus on constructing a CLPKE scheme that does not depend on the pairings. This way,our scheme will be more efficient than all of the CLPKE schemes proposed so far[1,2,17].The approach we make to achieve such a goal is to construct a CLPKE scheme that tends more towards a PKE scheme in the traditional PKI setting.We note that the reason why the CLPKE schemes in [1,2,17]have to depend on IBE is that in those schemes,a user need not be in possession of a partial private key before generating a public key,which is indeed a feature provided by IBE.By relaxing this requirement,however,we could construct a very efficient CLPKE scheme without pairings.136Joonsang Baek,Reihaneh Safavi-Naini,and Willy SusiloRelated Work.Al-Riyami and Paterson[1]proposed CLPKE and Certificateless Public Key Signature(CLPKS)schemes,all of which are based on the bilinear pairing used in Boneh and Franklin’s[5]IBE scheme.We note that their new construction of a CLPKE scheme given in[2]is also based on the bilinear pairing.Recently,a generic construction of CLPKE was given by Yum and Lee[17], who showed that any IBE and normal public key encryption schemes,if combined together properly,can yield a CLPKE scheme.Although their result indeed brings someflexibility in constructing CLPKE schemes,one should still expect a new IBE scheme to emerge to obtain a CLPKE scheme that does not depend on the bilinear pairings or Cock’s IBE scheme[7].More recently,Castellucia et al.[6]proposed a new Secret Handshake(SH) scheme.An interesting feature of this scheme compared with the original SH scheme[3]is that it does not depend on the bilinear pairings but the key issuing technique based on the Schnorr signature[15],which is very similar to the“Self-Certified Keys”technique presented in[13],so that the required computational cost is twice less expensive than the original one.We note that Castellucia et al.[6]mentioned that their technique can also be applied to build a Hidden Cre-dential(HC)scheme[11],however,no further application of it was considered.Finally,we remark that CLPKC in general and our work are related to the early works on the“self-certified keys”[10,13,14].One crucial difference between schemes based on CLPKC and those based on self-certified keys is that the for-mer depends more on the“identity-based”property,so that a user does not need to obtain any(private)key from the KGC before generating a public key. This property is useful as mentioned in[1],but we emphasize that if one merely wants the“certificate-less property”for public key encryption,there is an alter-native method to construct a certificateless public key encryption scheme,which bypasses the use of IBE.The technique of self-certified keys is such a method and is similar to our method to construct the CLPKE scheme presented in this paper.However,we point out that no schemes in[10,13,14]are supported by formal security analysis.Moreover,the CLPKE scheme presented in this paper is structurally different from any schemes presented in[10,13,14].Hence,one can view our work as formal treatment and extension of the early works on the self-certified keys.Our Contributions.In this paper,we elaborate on a new formal model of CLPKE and construct a CLPKE scheme that does not depend on the bilinear pairings: We extend the technique of[3,13]non-trivially to the CLPKE setting and con-struct a new CLPKE scheme which is almost as efficient as the“hashed”ElGa-mal encryption scheme modified by the Fujisaki-Okamoto transform technique [8].We prove in the random oracle model[4]that our scheme is secure against adaptive chosen ciphertext attacks,relative to the Computational Diffie-Hellman (CDH)problem.Certificateless Public Key Encryption Without Pairing137 2DefinitionsModel.The main goal of CLPKE[1]is to allow a sender to transmit a confidential message to a recipient by encrypting the message using the recipient’s public key which does not have to be contained in a certificate issued by CA.As a result,one can remove the certificate checking process that increases the system complexity. In spite of the absence of the checking process,the sender is guaranteed that only the honest recipient who has gone through appropriate authentication procedure and has obtained a right“partial private key”associated with his identifier ID from the Key Generation Center(KGC)will be able to decrypt the message.Our model of CLPKE is very similar to that of original CLPKE[1].In fact, the sub-algorithms of our CLPKE,Setup,SetSecretValue,SetPrivateKey,Encrypt and Decrypt are identical to those of the original CLPKE.Two different algo-rithms are PartialKeyExtract and SetPublicKey.PartialKeyExtract is similar to the “Partial Private Key Extract”algorithm of the original CLPKE with a differ-ence that the output of PartialKeyExtract consists of not only a partial private key which should be kept secret but a“partial public key”which will be used to generate a public key later by the user.The only difference between the“Set Public Key”algorithm of the original CLPKE and SetPublicKey of our CLPKE is that in our model of CLPKE,the partial public key output by PartialKeyExtract should be provided as input to SetPublicKey,which makes it impossible for the user to set a public key if he/she has not contacted the KGC and obtained a partial private/public pair.We note that our model of CLPKE is slightly weaker than the one given in[1]as a user must authenticated himself/herself to the KGC and obtain an appropriate partial public key to create a public key,while the original CLPKE does not require a user to contact the KGC to set up his/her public keys.(As discussed in Section1,one can view our CLPKE is close to the public key encryption in the normal PKI setting while Al-Riyami and Paterson’s original CLPKE of is close to IBE).However,we argue that our CLPKE does not lose the unique property of CLPKE that the use of certificates to guarantee the authenticity of public keys is not required any more,which is the main motivation for CLPKE.Below,we formally describe our model of CLPKE.Definition1(CLPKE).A generic CLPKE(Certificateless Public Key En-cryption)scheme,denoted byΠ,consists of the following algorithms.–Setup:The Key Generation Center(KGC)runs this algorithm to generate a common parameter params and a master key masterKey.Note that params is given to all interested parties.We write(params,masterKey)=Setup().–PartialKeyExtract:Taking params,masterKey and an identity ID received from a user as input,the KGC runs this algorithm to generate a par-tial private key D ID and a partial public key P ID.We write(P ID,D ID)= PartialKeyExtract(params,masterKey,ID).–SetSecretValue:Taking params and ID as input,the user runs this algorithm to generate a secret value s ID.We write s ID=SetSecretValue(params,ID).138Joonsang Baek,Reihaneh Safavi-Naini,and Willy Susilo–SetPrivateKey:Taking params,D ID and s ID as input,the user runs this al-gorithm to generate a private key SK ID.We write SK ID=SetPrivateKey( params,D ID,s ID).–SetPublicKey:Taking params,P ID,s ID and ID as input,the user runs this algorithm to generate a public key P K ID.We write P K ID=SetPublicKey( params,P ID,s ID,ID).–Encrypt:Taking params,ID,P K ID,and a plaintext message M as input,a sender runs this algorithm to create a ciphertext C.We write C=Encrypt( params,ID,P K ID,M).–Decrypt:Taking params,SK ID and the ciphertext C as input,the user as a recipient runs this algorithm to get a decryptionδ,which is either a plaintext message or a“Reject”message.We writeδ=Decrypt(params,SK ID,C). Security Notion.We also modify the security notion for the original CLPKE and present a new notion,which we call“indistinguishability of CLPKE ciphertexts under chosen ciphertext attack(IND-CLPKE-CCA)”.We note that the modifi-cation is very small:In our security notion of CLPKE,the attacker’s“public key request”queries should be answered by running the PartialKeyExtract algorithm, which is not needed in the original CLPKE.Like the security notion for the original CLPKE,we assume two types of attackers A I and A II.A difference between these two attackers is that A I does not have access to the master key of KGC while A II does have.Now a formal definition follows.Definition2(IND-CLPKE-CCA).Let A I and A II denote Type I attacker and Type II attacker respectively.LetΠbe a generic CLPKE scheme.We con-sider two games“Game I”and“Game II”where A I and A II interact with their “Challenger”respectively.Note that the Challenger keeps a history of“query-answer”while interacting with the attackers.Game I:This is the game in which A I interacts with the“Challenger”:Phase I-1:The Challenger runs Setup()to generate masterKey and params.The Challenger gives params to A I while keeping masterKey secret.Phase I-2:A I performs the following:•Issuing partial key extraction queries,each of which is denoted by(ID,“partial key extract”):On receiving each of these queries,the Challenger computes(P ID,D ID)=PartialKeyExtract(params,masterKey,ID)and re-turns it to A I.•Issuing private key extraction queries,each of which is denoted by(ID,“private key extract”):On receiving each of these queries,the Chal-lenger computes(P ID,D ID)=PartialKeyExtract(params,masterKey,ID) and s ID=SetSecretValue(params,ID).It then computes SK ID=SetPrivateKey(params,D ID,s ID)and returns it to A I.•Issuing public key request queries,each of which is denoted by(ID,“public key request”):On receiving each of these queries,the Chal-lenger computes(P ID,D ID)=PartialKeyExtract(params,masterKey,ID) and s ID=SetSecretValue(params,ID).It then computes P K ID=SetPublicKey(params,P ID,s ID)and returns it to A I.Certificateless Public Key Encryption Without Pairing139•Replacing the User’s public key:A I replaces a public key P K ID with its own at any time.•Issuing decryption queries,each of which is denoted by(ID,P K ID,C,“decryption”):On receiving such a query,the Challengerfinds SK ID from its“query-answer”list for public key request,computesδ=Decrypt( params,SK ID,C),which is either a plaintext message or a“Reject”mes-sage and returnsδto A I.If the Challenger cannotfind SK ID,it runsa special“knowledge extractor”to obtain a decryptionδand returnsit to A I.(As discussed in[1],it is not unreasonable to assume that the Challenger cannot answer a decryption query when a corresponding public key has been replaced,and hence returns“Reject”.However,as also pointed out in[1]),replacing public keys gives a huge power to the attacker.Hence,we assume that the Challenger uses other means,called “knowledge extractor”[1],to decrypt a requested ciphertext.Note thata construction of the knowledge extractor is specific to each CLPKEscheme).Phase I-3:A I outputs two equal-length plaintext messages(M0,M1)and a target identity ID∗.Note that ID∗has not been queried to extract a partial private key nor a private key at any time.Note also that ID∗cannot be equal to an identity for which both the public key has been replaced and the partial private key has been extracted.On receiving(M0,M1)and ID∗, the Challenger picksβ∈{0,1}at random and creates a target ciphertext C∗=Encrypt(params,P K ID∗,Mβ).The Challenger returns C∗to A I. Phase I-4:A I issues queries as in Phase2.The same rule the game applies here:ID∗has not been queried to extract a partial private key nor a private key at any time;ID∗cannot be equal to an identity for which both the public key has been replaced and the partial private key has been extracted.Ad-ditionally,no decryption queries should be made on C∗for the combination of ID∗and P K ID∗that was used to encrypt Mβ.Phase I-5:A I outputs its guessβ ∈{0,1}.Game II:This is the game in which A II interacts with the“Challenger”: Phase II-1:The Challenger runs Setup()to generate masterKey and params. The Challenger gives params and masterKey to A II.Phase II-2:A II performs the following:•Computing partial key associated with ID:A II computes(P ID,D ID)= PartialKeyExtract(params,masterKey,ID).•Issuing private key extraction queries,each of which is denoted by(ID,“private key extract”):On receiving each of these queries,the Chal-lenger computes(P ID,D ID)=PartialKeyExtract(params,masterKey,ID) and s ID=SetSecretValue(params,ID).It then computes SK ID=SetPrivateKey(params,D ID,s ID)and returns it to A II.•Issuing public key request queries,each of which is denoted by(ID,“pub-lic key request”):On receiving each of these queries,the Challenger computes D ID=PartialKeyExtract(params,masterKey,ID)and s ID=140Joonsang Baek,Reihaneh Safavi-Naini,and Willy SusiloSetSecretValue(params,ID).It then computes P K ID=SetPublicKey(params,P ID,s ID)and returns it to A II.•Issuing decryption queries,each of which is denoted by(ID,P K ID, C,“decryption”):On receiving each of these queries,the Chal-lengerfinds SK ID from its“query-answer”list,computesδ= Decrypt(params,SK ID,C),which is either a plaintext message or a“Re-ject”message,and returnsδto A II.Phase II-3:A II outputs two equal-length plaintext messages(M0,M1)anda target identity ID∗.Note that ID∗has not been issued as a private keyextraction query.On receiving(M0,M1)and ID∗,the Challenger picksβ∈{0,1}at random and creates a target ciphertext C∗=Encrypt(params, P K ID∗,Mβ).The Challenger returns C∗to A II.Phase II-4:A II issues queries as in Phase2subject to the same rules.(That is,ID∗has not been issued as a private key extraction query).But in this phase,no decryption queries should be made on C∗for the combination of ID∗and P K ID∗used to encrypt Mβ.Phase II-5:A II outputs its guessβ ∈{0,1}.We define A i’s guessing advantage in Game i,where i∈{I,II},byAdv IND−CLPKE−CCA Π,Game i (A i)=|Pr[β =β]−12|.A i breaks IND-CLPKE-CCA ofΠwith(t,q paex,q prex, )if and only if the guessing advantage of A i that makes q paex partial key extraction and q prex private key extraction queries is greater than within running time t.The schemeΠis said to be(t,q paex,q prex, )-IND-CLPKE-CCA secure if there is no attacker A i that breaks IND-CLPKE-CCA of Πwith(t,q paex,q prex, ).Computational Problem.We now review the standard“Computational Diffie-Hellman(CDH)”problem used in a large number of cryptographic schemes. Definition3(CDH).Let p and q be primes such that q|p−1.Let g be a generator of Z Z∗p.Let A be an attacker.A tries to solve the following problem: Given(g,g a,g b)for uniformly chosen a,b,c∈Z Z∗q,computeκ=g ab.Formally,we define A’s advantage Adv CDHZ Z∗p(A)by Pr[A(g,g a,g b)=g ab].Asolves the CDH problem with(t, )if and only if the advantage of A is greater than within running time t.The CDH problem is said to be(t, )-intractable if there is no attacker A that solves the CDH problem with(t, ).We remark that the current CLPKE schemes presented in[1]and[2]all depend on the“Bilinear Diffie-Hellman(BDH)”problem which is a pairing ver-sion of the CDH problem used in the construction of Boneh and Franklin’s IBE scheme[5].(Informally,the BDH problem is to computeˆe(g,g)abc given g a,g b and g c,where g is a generator,ˆe denotes a bilinear pairing and a,b,c are chosen at random from Z Z∗q).Certificateless Public Key Encryption Without Pairing141 3Our CLPKE SchemeWe now present our CLPKE scheme based on the Schnorr signature[15].As mentioned previously,our CLPKE scheme is motivated by the construction of PKI-enabled encryption scheme given in[6].However,we apply this scheme non-trivially to construct an efficient CLPKE scheme:The computational cost for realizing our scheme is very low due to not only the efficiency brought from the Schnorr signature but also the effective method that combines the Schnorr signature and the public key encryption scheme.–We remark that the encryption algorithm of our CLPKE scheme requires two more modular exponentiations compared with the“hashed”ElGamal encryption transformed by the technique proposed by Fujisaki and Okamoto[8];the decryption algorithm requires one more exponentiation compared with the same scheme.Below,we describe the scheme:–Setup():Generate two primes p and q such that q|p−1.Pick a generatorg of Z Z∗p.Pick x∈Z Z∗q uniformly at random and compute y=g x.Choosehash functions H1:{0,1}∗×Z Z∗q→Z Z∗q,H2:{0,1}l0×{0,1}l1→Z Z∗q and H3:Z Z∗p×Z Z∗p→{0,1}l,where l=l0+l1∈I N.Return params=(p,q,g,y, H1,H2,H3)and masterKey=(p,q,g,x,H1,H2,H3).–PartialKeyExtract(params,masterKey,ID):Pick s∈Z Z∗q at random and com-pute w=g s and t=s+xH1(ID,w).Return(P ID,D ID)=(w,t).–SetSecretValue(params,ID):Pick z∈Z Z∗q at random.Return s ID=z.–SetPrivateKey(params,D ID,s ID):Set SK ID=(s ID,D ID)=(z,t).Return SK ID.–SetPublicKey(params,P ID,s ID,ID):Let P ID=w and s ID=puteµ=g z and set P K ID=(w,µ).Return P K ID.–Encrypt(params,ID,P K ID,M)where the bit-length of M is l0:Parse P K ID as(w,µ)and computeγID=wy H1(ID,w).Pickσ∈{0,1}l1at random,and compute r=H2(M,σ).Compute C=(c1,c2)such thatc1=g r;c2=H3(k1,k2)⊕(M||σ),where k1=µr and k2=γr ID.(Note that“||”denotes“concatenation”.Note also that the bit-length of(M||σ)equals to l=l0+l1).Return C.–Decrypt(params,SK ID,C):Parse C as(c1,c2)and SK ID as(z,t).ComputeM||σ=H2(c z1,c t1)⊕c2.If g H2(M,σ)=c1,return M.Else return“Reject”.It can be easily seen that the above decryption algorithm is consistent:If C=(c1,c2)is a valid cipheretxt,we obtainH2(c z1,c t1)⊕c2=H2(g rz,g rt)⊕H2(µr,γr ID)⊕(M||σ)=H2((g z)r,(g s+xH1(ID,w))r)⊕H2(µr,γr ID)⊕(M||σ)=H2(µr,(g s y H1(ID,w))r)⊕H2(µr,γr ID)⊕(M||σ)=H2(µr,γr ID)⊕H2(µr,γr ID)⊕(M||σ)=M||σ.142Joonsang Baek,Reihaneh Safavi-Naini,and Willy Susilo4Security AnalysisBasically,the main idea of the security proofs given in this section is to have the CDH attacker B simulate the “environment”of the Type I and Type II attackers A I and A II respectively until it can compute a Diffie-Hellman key g ab of g a and g b using the ability of A I and A II .As described in Definition 2,A I and A II will issue various queries such as random oracle,partial key extraction,public key request,private key extraction and decryption queries.B will respond to these queries with the answers identically distributed as those in the real attack.We note that for the attacker A I ,B sets g a as a part of the challenge ci-phertext and g b as a KGC’s public key.On the other hand,for the attacker A II ,B sets g a as a part of the challenge ciphertext but uses g b to generate a public key associated with the challenge identity.The KGC’s public key is set up asg x where B knows random x ∈Z Z ∗q .This way,B can give the master key of theKGC to A II .We remark that care must be taken when the answers for the attackers’public key request queries are simulated.One reason is that a public key in our scheme is related to not only a private key but also partial private and public keys obtained from the KGC.The other reason is that during the attack,the attackers are entitled to see (or receive)any public keys even associated with the target identity.The proofs given in this section address these two issues.Theorem 1.The CLPKE scheme based on the Schnorr signature is IND-CLPKE-CPA secure in the random oracle model,assuming that the CDH prob-lem is intractable.In order to prove the above theorem,we prove two lemmas.Lemma 1shows that our CLPKE scheme is secure against the Type I attacker whose behavior is as described in Definition 2.Lemma 1.The CLPKE scheme based on the Schnorr signature is (t,q H 1,q H 2,q H 3,q paex ,q prex , )-IND-CLPKE-CCA secure against the Type I attacker A I in the random oracle model assuming that the CDH problem is (t , )-intractable,where ε >1q H 3 2εe (q prex +1)−q H 22l 1−q D q H 22l 1−q D q and t >t +(q H 1+q H 2)O (1)+q H 3(2T EX +O (1))+(q paex +q prex )(T EX +O (1))+q D (2T EX +O (1))where T EXdenotes the time for computing exponentiation in Z Z ∗p .Proof.Let A I be an IND-CLPKE-CCA Type I attacker.The number of queries to the oracles that A I makes and its running time are as defined in the above theorem statement.We show that using A I ,one can construct an attacker B that can solve the CDH problem (Definition 3).Suppose that B is given (p ,q ,g ,g a ,g b )as an instance of the CDH problem.(Note that the number of queries to the oracles that B makes and its running time are as defined in the above theorem statement).B can simulate the Chal-lenger’s execution of each phase of IND-CLPKE-CCA game for A I as follows.[Simulation of Phase I-1]B sets y =g b and gives A I (p ,q ,g ,y ,H 1,H 2,H 3)as params ,where H 1,H 2and H 3are random oracles controlled by B as follows.Certificateless Public Key Encryption Without Pairing143 On receiving a query(ID,w)to H1:1.If (ID,w),e exists in H1List,return e as answer.2.Otherwise,pick e∈Z Z∗q at random,add (ID,w),e to H1List and return eas answer.On receiving a query(M,σ)to H2:1.If (M,σ),r exists in H2List,return r as answer.2.Otherwise,pick r∈Z Z∗q at random,add (M,σ),r to H2List and return r asanswer.On receiving a query(k1,k2)to H3:1.If (k1,k2),R exists in H3List,return R as answer.2.Otherwise,pick R∈{0,1}l at random,add (k1,k2),R to H3List and returnR as answer.[Simulation of Phase I-2]B answers A I’s queries as follows.On receiving a partial key extraction query(ID,“partial key extract”):1.If ID,(w,t) exists in PartialKeyList,return(w,t)as answer.2.Otherwise,do the following:(a)Pick t,e∈Z Z∗q at random and compute w=g t y−e;add (ID,w),eto H1List(That it,e is defined to be H1(ID,w).)and ID,(w,t) to PartialKeyList;return(w,t)as answer.Note from the above simulation that we have wy H1(ID,w)=g t y−e y e=g t, which holds in the real attack too.On receiving a public key request query(ID,“public key request”):1.If ID,(w,µ),coin exists in PublicKeyList,return P K ID=(w,µ)as answer.2.Otherwise,pick coin∈{0,1}so that Pr[coin=0]=δ.(δwill be determinedlater).3.If coin=0,do the following:(a)If ID,(w,t) exists in PartialKeyList,pick z∈Z Z∗q at random and com-puteµ=g z;add ID,(z,t) to PrivateKeyList and ID,(w,µ),coin to PublicKeyList;return P K ID=(w,µ)as answer.(b)Otherwise,run the above simulation algorithm for partial key extractiontaking ID as input to get a partial key(w,t);pick z∈Z Z∗q at random and computeµ=g z;add ID,(z,t) to PrivateKeyList and ID,(w,µ),coin to PublicKeyList;return P K ID=(w,µ)as answer.4.Otherwise(if coin=1),pick s,z∈Z Z∗q at random and compute w=g sandµ=g z;add ID,(z,?),s to PrivateKeyList and ID,(w,µ),coin to PublicKeyList;return P K ID=(w,µ)as answer.。