对一种无双线性配对的无证书签密方案的安全性分析  被引量：2

作　　者：沈丽敏[1] 张福泰[1] 孙银霞[1] 

机构地区：[1]南京师范大学计算机科学与技术学院 江苏省信息安全保密技术工程研究中心,南京210023

出　　处：《密码学报》2014年第2期146-154,共9页Journal of Cryptologic Research

基　　金：国家自然科学基金项目(61170298);江苏省自然科学基金项目(BK20130908);江苏省高校自然科学研究项目(13KJD520006)

摘　　要：无证书公钥密码体制是在基于身份的公钥密码体制的基础上提出来的一类新型公钥密码体制.它既保持了基于身份的公钥密码体制不需要使用公钥证书的优点,又较好地解决了它所固有的密钥托管问题.签密把公钥加密和数字签名有机结合在一起,能够在一个合理的逻辑步骤内同时完成公钥加密和数字签名两项功能,而其计算量和通信成本都要低于传统的"先签名后加密"模式.学术界已提出若干高效的签密方案,但这些方案或需要证书管理或存在密钥托管问题,使其在实际中的应用受到了一定的限制.因此设计无证书体制下安全高效的签密方案是密码学和信息安全领域受到高度关注的研究课题.自2008年第一个无证书签密方案提出以来,国内外研究人员设计了很多种无证书签密方案并给出安全性分析,但大都被证明存在安全上的漏洞.2011年Liu等人提出了一种高效的不使用双线性配对的无证书签密方案,并在随机预言模型下证明了其安全性.但是,我们通过对该方案进行安全性分析,发现该方案既不满足机密性,也不满足不可伪造性,同时我们给出了两种具体的攻击方案,这表明该无证书签密方案是不安全的.Certificateless public key cryptography is a new type of public key cryptography, which is developed on the foundation of identity based cryptography. Certificateless public key cryptography effectively solves the inherent key escrow problem in identity based public key cryptography while keeps its certificate-free property. Signcryption is a cryptographic primitive which fulfills both the functions of public key encryption and digital signature simultaneously, at a cost significantly lower than that required by the traditional signature-then-encryption approach. Though several efficient signcryption schemes have been proposed, their implementations are due to the certificate management or key escrow problem. So, designing efficient and secure signcryption schemes in certificateless public key setting is an interesting research topic in the field of cryptology and information security. Since the first one proposed in 2008, people have designed numerous such kind of schemes, however, most of them have been proved to be fallible. Liu et al. presented an effective certificateless signcryption scheme without bilinear pairing, and they proved its security in the random oracle model. We analyze the security of this scheme and present two kinds of concrete attacks against it. Our analysis shows that the original scheme fails to satisfy the basic requirements of confidentiality and unforgeability for a signcryption scheme, and hence it is insecure.

关 键 词：无证书密码体制 无证书签密 安全模型 机密性 

分 类 号：TN918.4[电子电信—通信与信息系统]