簡易檢索 / 詳目顯示

研究生: 陳炫豪
Chen, Hsuan-Hao
論文名稱: 可否認式配對加密系統
Deniable Matchmaking Encryption
指導教授: 紀博文
Chi, Po-Wen
口試委員: 紀博文 王銘宏 莊允心
口試日期: 2021/07/30
學位類別: 碩士
Master
系所名稱: 資訊工程學系
Department of Computer Science and Information Engineering
論文出版年: 2021
畢業學年度: 109
語文別: 英文
論文頁數: 52
中文關鍵詞: 可否認式加密系統配對加密系統變色龍雜湊函數
英文關鍵詞: Deniable Encryption, Matchmaking Encryption, Chameleon Hash Function
DOI URL: http://doi.org/10.6345/NTNU202101242
論文種類: 學術論文
相關次數: 點閱:74下載:11
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  • 我們提出了一個名為可否認式配對加密系統的新加密系統,這個加密系統是建立在配對加密系統的基礎上,並新增了可否認式加密系統的特性,使其在一些受到脅迫而必須公開密文或金鑰內容的場合,依舊能夠保護寄件者、收件者以及密文本身的安全性,這是一套能同時否認寄件者、收件者身分以及訊息內容的加密系統。
    在可否認式配對加密系統中,寄件者以及收件者皆可以透過指定身分來保護密文,只有當雙方的身分皆符合加密時的指定身分時,密文才能被正確的解密,而對於任何非指定身分的一方,此密文皆不會洩漏任何資訊,並且,若今天發生了一些脅迫事件,迫使任一方或建立金鑰的公正第三方必須公開金鑰或公開原文時,因為此加密系統藉由變色龍雜湊函數的性質,可以產生出另一個不同寄件者、不同收件者以及不同原文的加密訊息,使得除了當事人雙方以外,其他人皆沒有辦法判定哪一組密文才是真正的密文,以此來保護當事人雙方的安全。
    在理論方面,我們定義了可否認式配對加密系統的安全性,提供了完整的可否認式配對加密系統的架構,並證明了在配對加密系統是安全的情況下,我們的可否認式配對加密系統是安全的。而在實作方面,我們計算了可否認式配對加密系統的計算時間需求與計算空間需求並與配對加密系統進行比較。

    We introduce a new encryption scheme, which is called Deniable Matchmaking Encryption (DME). This encryption scheme is based on Matchmaking Encryption (ME) and adds deniability on it. In some situations that users or the trusted third parties are coercered to reveal the plaintext or even the secret keys, this scheme can still protect the message and the identity of the sender and receiver. This is a Bi-identity-deniability encryption scheme.
    In DME, The sender and the receiver can protect the message by specifying the other user's identity. Only when both the sender and the receivers' identities are matched, the ciphertext can be decrypted correctly, and for anyone does not match the identity acquirement, the ciphertext leaks no information.With the help of chameleon hash function, DME can generate an indistinguishable fake ciphertext, which the sender identity, receiver identity and the message are all fake, to protect the true ciphertext. So that if any malicious adversary coercers the users or trusted third parties to reveal the ciphertext or the secret keys, the adversary can not distinguish whether the ciphertext is true.
    On the theoretical side, we define the security of DME and provide a DME encryption scheme. We prove that if ME is secure, our DME is also secure. On the practical side, we compute the space cost and computation cost of DME and compare it to ME.

    Chapter 1 Introduction 1 1.1 Identity-­based Encryption and Attribute-­based Encryption 1 1.2 Matchmaking Encryption 2 1.3 Problems in Real Life 3 1.4 Deniability in Matchmaking Encryption 4 1.5 Our Contributions 5 Chapter 2 Related Work 7 2.1 Identity­-based Encryption 7 2.2 Attribute­-based Encryption 9 2.3 Chameleon Hash Function 11 2.4 Deniable Encryption 13 2.5 Matchmaking Encryption 17 Chapter 3 Preliminaries 19 3.1 Notation 19 3.2 Bilinear Mapping 19 3.3 Identity-­based Chameleon Hash Function 21 3.4 Matchmaking Encryption 22 Chapter 4 Deniable Matchmaking Encryption 25 4.1 Our Idea 25 4.2 Definition 27 4.3 Construction 33 4.4 Correctness 37 Chapter 5 Security Analysis 39 5.1 Semantic Security 39 5.2 Deniability 40 Chapter 6 Performance Estimation 44 Chapter 7 Conclusions 46 References 47

    [1] G. Ateniese and B. de Medeiros. Identity­based chameleon hash and applications. In A. Juels, editor, Financial Cryptography, pages 164–180, Berlin, Heidelberg, 2004.
    Springer Berlin Heidelberg.
    [2] G. Ateniese and B. de Medeiros. On the key exposure problem in chameleon hashes. In C. Blundo and S. Cimato, editors, Security in Communication Networks, pages165–179, Berlin, Heidelberg, 2005. Springer Berlin Heidelberg.
    [3] G. Ateniese, D. Francati, D. Nuñez, and D. Venturi. Match me if you can: Matchmaking encryption and its applications. In A. Boldyreva and D. Micciancio, editors, Advances in Cryptology – CRYPTO 2019, pages 701–731, Cham, 2019. Springer International Publishing.
    [4] N. Attrapadung and H. Imai. Conjunctive broadcast and attribute­based encryption. In H. Shacham and B. Waters, editors, Pairing­Based Cryptography – Pairing 2009, pages 248–265, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg.
    [5] J. Bethencourt, A. Sahai, and B. Waters. Ciphertext­policy attribute­based encryption. In 2007 IEEE Symposium on Security and Privacy (SP ’07), pages 321–334, 2007.
    [6] D. Boneh and M. Franklin. Identity­based encryption from the weil pairing. In
    J. Kilian, editor, Advances in Cryptology — CRYPTO 2001, pages 213–229, Berlin,
    Heidelberg, 2001. Springer Berlin Heidelberg.
    [7] R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky. Deniable encryption. In B. S.
    Kaliski, editor, Advances in Cryptology — CRYPTO ’97, pages 90–104, Berlin,
    Heidelberg, 1997. Springer Berlin Heidelberg.
    [8] D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2):84–90, Feb. 1981.
    [9] X. Chen, F. Zhang, and K. Kim. Chameleon hashing without key exposure. In
    K. Zhang and Y. Zheng, editors, Information Security, pages 87–98, Berlin, Heidelberg, 2004. Springer Berlin Heidelberg.
    [10] X. Chen, F. Zhang, W. Susilo, and Y. Mu. Efficient generic on­line/off­line signatures without key exposure. In J. Katz and M. Yung, editors, Applied Cryptography and Network Security, pages 18–30, Berlin, Heidelberg, 2007. Springer Berlin Heidelberg.
    [11] J. Choi and S. Jung. A handover authentication using credentials based on chameleon hashing. IEEE Communications Letters, 14(1):54–56, 2010.
    [12] I. Damgård and J. B. Nielsen. Improved non­committing encryption schemes based on a general complexity assumption. In M. Bellare, editor, Advances in Cryptology — CRYPTO 2000, pages 432–450, Berlin, Heidelberg, 2000. Springer Berlin Heidelberg.
    [13] Y. Desmedt and J.­J. Quisquater. Public­key systems based on the difficulty of
    tampering (is there a difference between des and rsa?). In A. M. Odlyzko, editor,
    Advances in Cryptology — CRYPTO’ 86, pages 111–117, Berlin, Heidelberg, 1987.
    Springer Berlin Heidelberg.
    [14] C.­I. Fan, L.­Y. Huang, and P.­H. Ho. Anonymous multireceiver identity­based encryption. IEEE Transactions on Computers, 59(9):1239–1249, 2010.
    [15] D. M. Goldschlag, M. G. Reed, and P. F. Syverson. Hiding routing information. In R. Anderson, editor, Information Hiding, pages 137–150, Berlin, Heidelberg, 1996. Springer Berlin Heidelberg.
    [16] V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attribute­based encryption for
    fine­grained access control of encrypted data. In Proceedings of the 13th ACM
    Conference on Computer and Communications Security, CCS ’06, page 89–98,
    New York, NY, USA, 2006. Association for Computing Machinery.
    [17] S. Guo, D. Zeng, and Y. Xiang. Chameleon hashing for secure and privacypreserving vehicular communications. IEEE Transactions on Parallel and
    Distributed Systems, 25(11):2794–2803, 2014.
    [18] M. Klonowski, P. Kubiak, and M. Kutyłowski. Practical deniable encryption. In
    V. Geffert, J. Karhumäki, A. Bertoni, B. Preneel, P. Návrat, and M. Bieliková, editors,
    SOFSEM 2008: Theory and Practice of Computer Science, pages 599–609, Berlin,
    Heidelberg, 2008. Springer Berlin Heidelberg.
    [19] H. Krawczyk and T. Rabin. Chameleon hashing and signatures, 1998.
    [20] A. Lewko and B. Waters. Decentralizing attribute­based encryption. In K. G. Paterson, editor, Advances in Cryptology – EUROCRYPT 2011, pages 568–588, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg.
    [21] J. Li, J. Li, X. Chen, C. Jia, and W. Lou. Identity­based encryption with outsourced
    revocation in cloud computing. IEEE Transactions on Computers, 64(2):425–437,
    2015.
    [22] U. M. Maurer and Y. Yacobi. Non­interactive public­key cryptography. In D. W.
    Davies, editor, Advances in Cryptology — EUROCRYPT ’91, pages 498–507,
    Berlin, Heidelberg, 1991. Springer Berlin Heidelberg.
    [23] P. Mohassel. One­time signatures and chameleon hash functions. In A. Biryukov, G. Gong, and D. R. Stinson, editors, Selected Areas in Cryptography, pages 302–319, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg.
    [24] S. Müller, S. Katzenbeisser, and C. Eckert. Distributed attribute­based encryption. In P. J. Lee and J. H. Cheon, editors, Information Security and Cryptology – ICISC 2008, pages 20–36, Berlin, Heidelberg, 2009. Springer Berlin Heidelberg.
    [25] A. O’Neill, C. Peikert, and B. Waters. Bi­deniable public­key encryption. In P. Rogaway, editor, Advances in Cryptology – CRYPTO 2011, pages 525–542, Berlin,
    Heidelberg, 2011. Springer Berlin Heidelberg.
    [26] A. Sahai and B. Waters. Fuzzy identity­based encryption. In R. Cramer, editor,
    Advances in Cryptology – EUROCRYPT 2005, pages 457–473, Berlin, Heidelberg,
    2005. Springer Berlin Heidelberg.
    [27] A. Sahai and B. Waters. How to use indistinguishability obfuscation: Deniable encryption, and more. In Proceedings of the Forty­Sixth Annual ACM Symposium
    on Theory of Computing, STOC ’14, page 475–484, New York, NY, USA, 2014.
    Association for Computing Machinery.
    [28] A. Shamir. Identity­based cryptosystems and signature schemes. In G. R. Blakley and D. Chaum, editors, Advances in Cryptology, pages 47–53, Berlin, Heidelberg, 1985. Springer Berlin Heidelberg.
    [29] H. Tanaka. A realization scheme for the identity­based cryptosystem. In C. Pomerance, editor, Advances in Cryptology — CRYPTO ’87, pages 340–349, Berlin, Heidelberg, 1988. Springer Berlin Heidelberg.
    [30] S. Tsujii and T. Itoh. An id­based cryptosystem based on the discrete logarithm
    problem. IEEE Journal on Selected Areas in Communications, 7(4):467–473, 1989.
    [31] B. Waters. Efficient identity­based encryption without random oracles. In R. Cramer, editor, Advances in Cryptology – EUROCRYPT 2005, pages 114–127, Berlin, Heidelberg, 2005. Springer Berlin Heidelberg.

    下載圖示
    QR CODE