The Weil Pairing

Evaluating 2-DNF Formulas on CiphertextsDan Boneh 1, ,Eu-Jin Goh 1,and Kobbi Nissim 2,1Computer Science Department,Stanford University,Stanford CA 94305-9045,USA{dabo,eujin }@2Department of Computer Science,Ben-Gurion University,Beer-Sheva 84105,Israel kobbi@cs.bgu.ac.il Abstract.Let ψbe a 2-DNF formula on boolean variables x 1,...,x n ∈{0,1}.We present a homomorphic public key encryption scheme that allows the public evaluation of ψgiven an encryption of the variables x 1,...,x n .In other words,given the encryption of the bits x 1,...,x n ,anyone can create the encryption of ψ(x 1,...,x n ).More generally,we can evaluate quadratic multi-variate polynomials on ciphertexts provided the resulting value falls within a small set.We present a number of applications of the system:1.In a database of size n ,the total communication in the basic step of the Kushilevitz-Ostrovsky PIR protocol is reduced from √n to 3√n .2.An efficient election system based on homomorphic encryption where voters do not need to include non-interactive zero knowledge proofsthat their ballots are valid.The election system is proved securewithout random oracles but still efficient.3.A protocol for universally verifiable computation.1IntroductionSecure computation allows several parties to compute a function of their joint inputs without revealing more than what is implied by their own inputs and the function outcome.Any polynomial time functionality can be computed by a secure protocol,requiring polynomial resources [32,16].These seminal results are obtained by a generic transformation that converts an insecure computation of a functionality to a secure version (often referred to as the ‘garbled circuit’transformation).Secure protocols generated from the garbled circuit transformation typically have poor efficiency.In particular,the communication complexity of the resulting protocols is proportional to the size of a circuit evaluating the functionality,and hence precludes sub-linear communication protocols.The result is that unless circuits are very small,the garbled circuit transformation is seldom used in protocols.Supported by NSF. Work done while the author was at Microsoft Research,SVC.J.Kilian (Ed.):TCC 2005,LNCS 3378,pp.325–341,2005.cSpringer-Verlag Berlin Heidelberg 2005326 D.Boneh,E.-J.Goh,and K.NissimTo avoid using the garbled circuit transformation,researchers have sought for tools that give more efficient protocols for specific functionalities.Homomor-phic encryption enables “computing with encrypted data”and is hence a useful tool for secure protocols.Current homomorphic public key systems [17,11,25]have limited homomorphic properties:given two ciphertexts Encrypt (PK ,x )and Encrypt (PK ,y ),anyone can compute either the sum Encrypt (PK ,x +y ),or the product Encrypt (PK ,xy ),but not both.1The problem of constructing ‘doubly homomorphic’encryption schemes where one may both ‘add and multiply’is a long standing open question already mentioned by Rivest et al.[29].Homomorphic encryption schemes have many applications,such as proto-cols for electronic voting schemes [7,2,8,9],computational private information retrieval (PIR)schemes [20],and private matching [13].Systems with more gen-eral homomorphisms (such as both addition and multiplication)will benefit all these problems.1.1Our ResultsA Homomorphic Encryption Scheme.We present a homomorphic public key encryption scheme based on finite groups of composite order that support a bilinear ing a construction along the lines of Paillier [25],we obtain a system with an additive homomorphism.In addition,the bilinear map allows for one multiplication on encrypted values.As a result,our system supports arbitrary additions and one multiplication (followed by arbitrary additions)on encrypted data.This property in turn allows the evaluation of multi-variate polynomials of total degree 2on encrypted values.Our applications follow from this new capability.The security of our scheme is based on a new hardness assumption that we put forward –the subgroup decision problem .Namely,given an element of a group of composite order n =q 1q 2,it is infeasible to decide whether it belongs to a subgroup of order q 1.Applications.As a direct application of the new homomorphic encryption scheme,we construct a protocol for obliviously evaluating 2-DNFs.Our pro-tocol gives a quadratic improvement in communication complexity over garbled circuits.We show how to get a private information retrieval scheme (PIR)as a variant of the 2-DNF protocol.Our PIR scheme is based on that of Kushilevitz-Ostrovsky [20]and improves the total communication in the basic step of their PIR protocol from √n to 3√n for a database of size n .As noted above,our encryption scheme lets us evaluate quadratic multi-variate polynomials on ciphertexts provided the resulting value falls within a small set;in particular,we can compute dot products on ciphertexts.We use 1An exception is the scheme by Sander et al.[30]that is doubly homomorphic over a semigroup.On the other hand,the homomorphism comes with the cost of a constant factor expansion per semigroup operation.See also its comparison with our results in Section 1.1below.Evaluating2-DNF Formulas on Ciphertexts327 this property to create a gadget that enables the verification that an encrypted value is one of two‘good’values.We use this gadget to construct an efficient election protocol where voters do not need to provide proofs of vote validity. Finally,we generalize the election protocol to a protocol of universally verifiable computation.Comparison to Other Public-Key Homomorphic Systems.Most homo-morphic systems provide only one homomorphism,either addition,multiplica-tion,or xor.One exception is the system of Sander et al.[30]that provides the ability to evaluate NC1circuits on encrypted values.Clearly their construction also applies to2-DNF formula.Unfortunately,the ciphertext length in their sys-tem grows exponentially in the depth of the2-DNF formula when written using constant fan-in gates.In our system,the ciphertext size is independent of the formula size or depth;this property is essential for improving the communication complexity basic step of the Kushilevitz-Ostrovsky PIR protocol. Organization.The rest of this paper is organized as follows.In Section2we review the bilinear groups underlying our construction and put forward our new hardness assumption.Section3details the construction of a semantically secure public key encryption scheme,its security and homomorphic properties.The basic application to2-DNF evaluation is presented in Section4,followed by the election and universally verifiable computation protocols in sections5and6. Section7summarizes our results and poses some open problems.2PreliminariesWe briefly review the groups underlying our encryption scheme.2.1Bilinear GroupsOur construction makes use of certainfinite groups of composite order that support a bilinear map.We use the following notation:1.G and G1are two(multiplicative)cyclic groups offinite order n.2.g is a generator of G.3.e is a bilinear map e:G×G→G1.In other words,for all u,v∈G anda,b∈Z,we have e(u a,v b)=e(u,v)ab.We also require that e(g,g)is a generator of G1.We say that G is a bilinear group if there exists a group G1and a bilinear map as above.In the next section we also add the requirement that the group action in G,G1,and the bilinear map can be computed in polynomial time. Constructing Bilinear Groups of a Given Order n.Let n>3be a given square-free integer that is not divisible by3.We construct a bilinear group G of order n as follows:1.Find the smallest positive integer ∈Z such that p= n−1is prime andp=2mod3.328 D.Boneh,E.-J.Goh,and K.Nissim2.Consider the group of points on the(super-singular)elliptic curve y2=x3+1defined over F p.Since p=2mod3the curve has p+1= n points in F p.Therefore the group of points on the curve has a subgroup of order n which we denote by G.3.Let G1be the subgroup of F∗p2of order n.The modified Weil pairing on thecurve[22,19,3,23]gives a bilinear map e:G×G→G1with the required properties.2.2The Subgroup Decision ProblemWe define an algorithm G that given a security parameterτ∈Z+outputs a tuple (q1,q2,G,G1,e)where G,G1are groups of order n=q1q2and e:G×G→G1 is a bilinear map.On inputτ,algorithm G works as follows:1.Generate two randomτ-bit primes q1,q2and set n=q1q2∈Z.2.Generate a bilinear group G of order n as described at the end of Section2.1.Let g be a generator of G and e:G×G→G1be the bilinear map.3.Output(q1,q2,G,G1,e).We note that the group action in G,G1as well as the bilinear map can be computed in polynomial time inτ.Letτ∈Z+and let(q1,q2,G,G1,e)be a tuple produced by G(τ)where n=q1q2.Consider the following problem:given(n,G,G1,e)and an element x∈G,output‘1’if the order of x is q1and output‘0’otherwise;That is, without knowing the factorization of the group order n,decide if an element x is in a subgroup of G.We refer to this problem as the subgroup decision problem. For an algorithm A,the advantage of A in solving the subgroup decision problem SD-Adv A(τ)is defined as:SD-Adv A(τ)=PrA(n,G,G1,e,x)=1:(q1,q2,G,G1,e)←G(τ),n=q1q2,x←G−PrA(n,G,G1,e,x q2)=1:(q1,q2,G,G1,e)←G(τ),n=q1q2,x←G.Definition1.We say that G satisfies the subgroup decision assumption if for any polynomial time algorithm A we have that SD-Adv A(τ)is a negligible func-tion inτ.Informally,the assumption states that the uniform distribution on G is in-distinguishable from the uniform distribution on a subgroup of G.Recall that the factorization of the order of G is hidden so that the order of subgroups of G remains unknown to a polynomial time adversary.3A Homomorphic Public-Key SystemWe can now describe our public key system.The system resembles the Pail-lier[25]and the Okamoto-Uchiyama[24]encryption schemes.We describe the three algorithms making up the system:Evaluating 2-DNF Formulas on Ciphertexts 329KeyGen (τ):Given a security parameter τ∈Z +,run G (τ)to obtain a tuple(q 1,q 2,G ,G 1,e ).Let n =q 1q 2.Pick two random generators g,u R ←G and set h =u q 2.Then h is a random generator of the subgroup of G of order q 1.The public key is PK =(n,G ,G 1,e,g,h ).The private key is SK =q 1.Encrypt (PK ,M ):We assume the message space consists of integers in the set {0,1,...,T }with T <q 2.We encrypt bits in our main application,in whichcase T =1.To encrypt a message m using public key PK ,pick a random r R ←{0,1,...,n −1}and computeC =g m h r ∈G .Output C as the ciphertext.Decrypt (SK ,C ):To decrypt a ciphertext C using the private key SK =q 1,observe thatC q 1=(g m h r )q 1=(g q 1)mLet ˆg =g q 1.To recover m ,it suffices to compute the discrete log of C q 1base ˆg .Since 0≤m ≤T this takes expected time ˜O(√T )using Pollard’s lambda method [21–p.128].Note that decryption in this system takes polynomial time in the size of the message space T .Therefore,the system as described above can only be used to encrypt short messages.Clearly one can use the system to encrypt longer messages,such as session keys,using any mode of operation that converts a cipher on a short block into a cipher on an arbitrary long block.We note that one can speed-up decryption by precomputing a (polynomial-size)table of powers of ˆg so that decryption can occur in constant time.3.1Homomorphic PropertiesThe system is clearly additively homomorphic.Let (n,G ,G 1,e,g,h )be a public key.Given encryptions C 1,C 2∈G 1of messages m 1,m 2∈{0,1,...,T }respec-tively,anyone can create a uniformly distributed encryption of m 1+m 2mod n by computing the product C =C 1C 2h r for a random r in {0,1,...,n −1}.More importantly,anyone can multiply two encrypted messages once using the bilinear map.Set g 1=e (g,g )and h 1=e (g,h ).Then g 1is of order n and h 1is of order q 1.Also,write h =g αq 2for some (unknown)α∈Z .Suppose we are given two ciphertexts C 1=g m 1h r 1∈G and C 2=g m 2h r 2∈G .To build an encryption of the product m 1·m 2mod n given only C 1and C 2,do:1)pick a random r ∈Z n ,and 2)set C =e (C 1,C 2)h r 1∈G 1.ThenC =e (C 1,C 2)h r 1=e (g m 1h r 1,g m 2h r 2)h r 1=g m 1m 21h m 1r 2+r 2m 1+αq 2r 1r 2+r 1=g m 1m 21h ˜r 1∈G 1where ˜r =m 1r 2+r 2m 1+αq 2r 1r 2+r is distributed uniformly in Z n as required.Thus,C is a uniformly distributed encryption of m 1m 2mod n ,but in the group330 D.Boneh,E.-J.Goh,and K.NissimG1rather than G(this is why we allow for just one multiplication).We note that the system is still additively homomorphic in G1.Note.In some applications we avoid blinding with h r,making the homomorphic computation deterministic.Quadratic Polynomials.Let F(x1,...,x u)be a u-variate polynomial of total degree2.The discussion above shows that given the encryptions C1,...,C u of values x1,...,x u,anyone can compute the encryption of C=F(x1,...,x u).On the other hand,to decrypt C,the decryptor must already know that the result F(x1,...,x u)lies in a certain polynomial size interval.3.2SecurityWe now turn to proving semantic security of the system under the subgroup decision assumption.The proof is standard and we briefly sketch it here. Theorem1.The public key system of Section3is semantically secure assuming G satisfies the subgroup decision assumption.Proof.Suppose a polynomial time algorithm B breaks the semantic security of the system with advantage (τ).We construct an algorithm A that breaks the subgroup decision assumption with the same advantage.Given(n,G,G1,e,x)as input,algorithm A works as follows:1.A picks a random generator g∈G and gives algorithm B the public key(n,G,G1,e,g,x).2.Algorithm B outputs two messages m0,m1∈{0,1,...,T}to which A re-sponds with the ciphertext C=g m b x r∈G for a random b R←{0,1}and random r R←{0,1,...,n−1}.3.Algorithm B outputs its guess b ∈{0,1}for b.If b=b algorithm A outputs1(meaning x is uniform in a subgroup of G);otherwise A outputs0(meaning x is uniform in G).It is easy to see that when x is uniform in G,the challenge ciphertext C is uniformly distributed in G and is independent of the bit b.Hence,in this case Pr[b=b ]=1/2.On the other hand,when x is uniform in the q1-subgroup of G, then the public key and challenge C given to B are as in a real semantic security game.In this case,by the definition of B,we know that Pr[b=b ]>1/2+ (τ). It now follows that A satisfies SD-Adv A(τ)> (τ)and hence A breaks the subgroup decision assumption with advantage (τ)as required.We note that if G satisfies the subgroup decision assumption then semantic security also holds for ciphertexts in G1.These ciphertexts are the output of the multiplicative homomorphism.If semantic security did not hold in G1,then it would also not hold in G because one can always translate a ciphertext in G to a ciphertext in G1by“multiplying”by the encryption of1.Hence,by Theorem1, semantic security must also hold for ciphertexts in G1.Evaluating2-DNF Formulas on Ciphertexts331 4Two Party Efficient SFE for2-DNFIn this section we show how to use our homomorphic encryption scheme to construct efficient secure function evaluation protocols.Our basic result is a di-rect application of the additive and multiplicative homomorphisms of our public key encryption scheme.We consider a two-party scenario where Alice holds a Boolean formulaφ(x1,...,x n)and Bob holds an assignment a=a1,...,a n.As the outcome,Bob learnsφ(a).We restrict our attention to2-DNF formulas: Definition2.A2-DNF formula over the variables x1,...,x n is of the form ∨k i=1( i,1∧ i,2)where i,1, i,2∈{x1,...,x n,¯x1,...,¯x n}.Wefirst give a protocol for the model of semi-honest parties,and then modify it to cope with a malicious Bob,capitalizing on an‘input verification’gadget.In the semi-honest model,both parties are assumed to perform computations and send messages according to their prescribed actions in the protocol.They may also record whatever they see during the protocol(i.e.their own input and randomness,and the messages they receive).On the other hand,a malicious party may deviate arbitrarily from the protocol.We sketch the security defi-nitions for the simple case where only one party(Bob)is allowed to learn the output.We refer readers to Goldreich’s book[15]for the complete definitions. Security in the Semi-Honest Model.The definition is straightforward since only one party(Bob)is allowed to learn the output:–Bob’s security–indistinguishability:We require that Alice cannot distin-guish between the different possible inputs Bob may hold.–Alice’s security–comparison to an ideal model:Alice’s security is formalized by considering an ideal trusted party that gets the inputsφ()and a,and givesφ(a)to Bob.We require in the real implementation that Bob does not get any information beyond whether a satisfiesφ().Security Against Malicious Parties.The security definition for this model captures both the privacy and correctness of the protocol and is limited to the case where only one of the parties is rmally,the security definition is based on a comparison with an ideal trusted party model(here the corrupt party may give an arbitrary input to the trusted functionality).The security requirement is that for any strategy a corrupt party may play in a real execution of the protocol,there is an efficient strategy it could play in the ideal model with computationally indistinguishable outcomes.4.1The Basic ProtocolProtocol2-DNF in Figure1uses our homomorphic encryption scheme for ef-ficiently evaluating2-DNFs with semi-honest parties.We get a three message protocol with communication complexity O(n·τ)—a quadratic improvement in communication with respect to Yao’s garbled-circuit protocol[32]that yields communication proportional to the potential formula length,Θ(n2).332 D.Boneh,E.-J.Goh,and K.Nissim Input:Alice holds a 2-DNF formula φ(x 1,...,x n )=∨k i =1( i,1∧ i,2)and Bob holds an assignment a =a 1,...,a n ∈{0,1}n .Both parties’inputs include a security parameter τ.1.Bob performs the following:(a)He invokes KeyGen (τ)to compute keys SK ,PK ,and sends PK to Alice.(b)He computes and sends Encrypt (PK ,a j )for j =1,...,n .2.Alice performs the following:(a)She computes an arithmetization Φof φby replacing “∨”by “+”,“∧”by “·”and “¯x j ”by “(1−x j )”.Note that Φis a polynomial in x 1,...,x nwith total degree 2.(b)Alice computes the encryption of r ·Φ(a )for a randomly chosen r usingthe encryption scheme’s homomorphic properties.The result is sent toBob.3.If Bob receives an encryption of 0,he outputs 0;otherwise,he outputs 1.Fig.1.Protocol 2-DNFClaim.Protocol 2-DNF is secure against semi-honest Alice and Bob.Proof (Sketch).Alice’s security follows as the distribution on Bob’s output only depends on whether φ()is satisfied by a or not.Bob’s security follows directly from the semantic security of the encryption scheme. Note.Protocol 2-DNF (as well Malicious-Bob-2-DNF below)is secure even against a computationally unlimited Bob.Interestingly,the garbled circuit pro-tocol (where Alice garbles φ)has the opposite property where it can be secured against an unbounded Alice but not an unbounded Bob.(See also Cachin et al.[5]for a discussion of computing on encrypted data versus garbled circuits).4.2Example Application –Private Information RetrievalA private information retrieval (PIR)scheme allows a user to retrieve informa-tion from an n -bit database without revealing any information on which bit he is interested in [6,20].SPIR (symmetric PIR)is a PIR scheme that also protects the database privacy –a (semi-honest)user will only learn one of the database bits [14].In this section,we show how an immediate application of protocol 2-DNF results in a PIR/SPIR scheme.Our constructions are based on that of Kushilevitz and Ostrovsky [20].A SPIR Scheme.We get a SPIR scheme with communication O (τ·√n )as animmediate application of protocol 2-DNF .Without loss of generality,we assume that the database size n is a perfect square and treat the database as a table D of dimensions √n ×√n .Using this notation,suppose Bob wants to retrieve entry (I,J )of D .Alice (the database holder)holds the 2-DNF formula φover x 1,...,x √n ,y 1,...,y √n :φ(x 1,...,x √n ,y 1,...,y √n )=∨D i,j =1(x i ∧y j ),Evaluating 2-DNF Formulas on Ciphertexts 333and Bob’s assignment a sets x I and y J to 1and all other variables to 0.Bob and Alice carry out the 2-DNF protocol with this assignment and 2-DNF formula.It is clear that φ(a )=D I,J as required.An Alternative ing the 2-DNF protocol for SPIR restricts database entries to bits.We provide an alternative construction that allows each database entry to contain up to O (log n )bits.We consider the data as a table of dimensions √n ×√n as above.To retrieve entry (I,J )of D ,Bob createstwo polynomials p 1(x )and p 2(x )of degree √n −1such that p 1(i )is zero on 0≤i <√n except for p 1(I )=1,and similarly p 2(j )is zero on 0≤j <√nexcept for p 2(J )=1.Bob sends to Alice the encryption of the coefficients of p 1(x )and p 2(x ).Alice uses the encryption scheme’s homomorphic properties to compute the encryption ofD I,J = 0≤i,j<√np 1(i )p 2(j )D i,j .We allow D i,j to be b -bit values where b =O (log n ).Bob recovers D i,j in time O (2b/2)by computing a discrete logarithm ing the baby-step giant-step algorithm.A PIR Scheme.Standard communication balancing of our SPIR scheme results in a PIR scheme where each party sends O (τ·3√n )bits.In particular,view the database as comprising of n 1/3chunks,each chunk containing n 2/3entries,where Bob is interested in retrieving entry (I,J,K )of D .Bob sends Alice the coefficients of two polynomials p 1(x )and p 2(x )of degree 3√n −1such that p 1(i )=p 2(i )=0on 0≤i <3√n except for p 1(I )=p 2(J )=1.Alice uses the encryption scheme’s homomorphic properties to compute encryptions ofD I,J,k = 0≤i,j<3√np 1(i )p 2(j )D i,j,kfor 0≤k <3√n .Alice sends the 3√n resulting ciphertexts to Bob who decryptsthe K th entry.Recursively applying this balancing (as in Kushilevitz-Ostrovsky [20])results in a protocol with communication complexity O (τn )for any >0.We note that the recursion depth to reach is lower in our case compared to that of Kushilevitz-Ostrovsky [20]by a constant factor of log 23.4.3Security of the 2-DNF Protocol Against a Malicious BobA malicious Bob may try to learn about Alice’s 2-DNF formula by sending Alice an encryption of a non-boolean assignment a 1,...,a n .He may also let Alice evaluate φfor an encrypted assignment that Bob cannot decrypt himself.Both types of behaviors do not correspond to a valid run in the ideal model.To prevent the first attack,we present a gadget that allows Alice to ensure a ciphertext she receives contains one of two ‘valid’messages v 0,v 1.This gadget is334 D.Boneh,E.-J.Goh,and K.Nissimapplicable outside of the scope of 2-DNF as we demonstrate in sections 5and 6.The second attack is prevented using standard methods —Alice presents Bob with a challenge that cannot be resolved unless he can decrypt.This decryption ability is then used when Bob is simulated to create valid inputs for the trusted party.2A Gadget for Checking c ∈{v 0,v 1}.This gadget exploits our ability to evaluate a polynomial of total degree 2on the encryption of c .We choose a polynomial that has v 0and v 1as zeros as follows:given an encryption of a value c ,Alice uses the homomorphic properties of the encryption scheme to compute r ·(c −v 0)·(c −v 1)for a randomly chosen r .For c ∈{v 0,v 1},this computation results in the encryption of 0.For other values of c ,the result is random.In the special case of c ∈{0,1},Alice computes r ·c ·(c −1).The Protocol.The result is protocol Malicious-Bob-2-DNF described in Figure 2.Input:as in protocol 2-DNF in Figure 1.1.Alice and Bob engage in the following ‘proof of decryption ability’protocol:(a)Bob invokes KeyGen (τ)to compute keys SK ,PK and sends PK toAlice.(b)Alice chooses τrandom bits m 1,...,m τand sends their encryptionsEncrypt (PK ,m 1),...,Encrypt (PK ,m τ)to Bob.(c)Bob replies with a decryption m 1,...,m τof the received encryptions.Alice aborts if any of Bob’s decryptions is incorrect.2.Bob computes and sends Encrypt (PK ,a j )for j =1,...,n .3.Alice performs the following:(a)She computes an arithmetization Φof φas in protocol 2-DNF .(b)Using the homomorphic properties of the encryption scheme,she com-putes the encryption of r ·Φ(a )+ n i =1r i ·a i ·(a i −1)for randomlychosen r,r i .She sends the result to Bob.4.If Bob receives an encryption of 0,he outputs 0;otherwise,he outputs 1.Fig.2.Protocol Malicious-Bob-2-DNFClaim.Protocol 2-DNF is secure against semi-honest Alice and malicious Bob.Proof (Sketch).Security against semi-honest Alice follows as in protocol 2-DNF .Security against malicious Bob follows by simulation.Note that the ‘proof of 2The ‘standard’use of this technique is to give Bob a random message for a challenge.Bob’s simulator would then use the self reducibility properties of the encryption scheme to (i)map an encrypted message Encrypt (PK ,m )to an encryption of a random message,say Encrypt (PK ,m +r ),(ii)use Bob’s procedure to retrieve m =m +r ,and (iii)retrieve m =m −r .As the message space is limited in our scheme due to decryption limitations,we need a slightly modified scheme.decryption ability’sub-protocol can be used to decrypt Bob’s message in Step2 of the protocol,hence providing the inputs to the trusted party. 5An Efficient Election Protocol Without Random OraclesIn this section,we describe an electronic election protocol where voters submit boolean(“yes/no”)votes.Such protocols werefirst considered by Benaloh and Fisher[7,2]and more recently by Cramer et al.[8,9].A key component of electronic election schemes is a proof,attached to each vote,of its correctness(or validity);for example,a proof that the vote really is an encryption of0or1.Otherwise,voters may corrupt the tally by sending an encryption of an arbitrary value.Such proofs of validity are typically zero-knowledge(or witness indistinguishable)proofs.These interactive zero knowl-edge proofs of bit encryption are efficiently constructed(using zero knowledge identification protocols)for standard homomorphic encryption schemes such as ElGamal[11,18],Pedersen[26,8],or Paillier[25,10].The proof of validity is then usually made non-interactive using the Fiat-Shamir heuristic of replacing communication with an access to a random oracle[12].In the actual instantia-tion,the random oracle is replaced by some‘cryptographic function’such a hash function.Security is shown hence to hold in an ideal model with access to the random oracle,and not in the standard model[27].Our election protocol has the interesting feature that voters do not need to include proofs of validity or any other information except for their encrypted votes when casting their ballots.Instead,the election authorities can jointly verify that a vote is valid based solely on its encryption.The technique is based on the gadget we constructed in Section2.This gadget allows us to avoid using the Fiat-Shamir heuristic and yet makes our scheme efficient.As a result,our election scheme is very efficient from the voter’s point of view as it requires onlya single encryption operation(two exponentiations)to create a ballot.35.1The Election SchemeOur scheme belongs to the class of election protocols proposed by Cramer et al.[8,9]where votes are encrypted using a homomorphic encryption scheme.For robustness,we use a threshold version of the encryption scheme in Sec-tion3.For simplicity(following Shoup[31]),we assume that a trusted dealer first generates the public/private keys,shares the private keys between the elec-tion authorities,and then deletes the private key(a generic secure computation may be used to replace the trusted dealer,as this is an offline phase).With this assumption,a threshold version of our encryption scheme can be constructed using standard techniques from discrete log threshold cryptosystems[26].3Curiously,this voting scheme is probably the most efficient for the voter,taking into account the efficiency of operating in an elliptic curve group.。

素域椭圆曲线的基本参数素域椭圆曲线（Elliptic Curves over Finite Fields）是数论中的一个重要概念，主要用于密码学和编码理论等领域。

在素域椭圆曲线中，基本参数包括以下几个：1. 有限域（Finite Field）：素域椭圆曲线的定义域是一个有限域，通常表示为GF(p)，其中p是一个质数。

2. 椭圆曲线方程（Elliptic Curve Equation）：一个三次多项式方程，用于定义椭圆曲线。

通常表示为y^2 = x^3 + ax + b（其中a和b是定义域GF(p)中的元素）。

3. 阶（Order）：椭圆曲线上点的个数。

对于素域椭圆曲线，阶通常表示为n，即满足nG = 0（G为椭圆曲线上的无穷远点）的最小正整数n。

4. 生成点（Generator Point）：一个用于表示椭圆曲线的点，通常是阶为n的生成元。

生成点一般表示为(x, y)，满足椭圆曲线方程。

5. 阶的倍数（Multiples of the Order）：阶的倍数是指满足nG = 0的点。

这些点可以用来构造椭圆曲线上的加法群。

6. 标量乘法（Scalar Multiplication）：椭圆曲线上点的加法运算可以通过标量乘法实现。

对于定义域GF(p)中的元素k，标量乘法计算公式为kP = (x', y')，其中P为椭圆曲线上的一个点。

7. 双线性对（Weil Pairing）：双线性对是一种满足一定性质的映射，用于将椭圆曲线上的点映射到一个有限域上的元素。

这种映射在密码学中具有重要意义，特别是在椭圆曲线密码学中，用于实现数字签名和密钥交换等任务。

这些基本参数在素域椭圆曲线的理论和应用中都具有关键作用。

理解和掌握这些参数有助于更好地学习和研究素域椭圆曲线。

软件学报ISSN 1000-9825, CODEN RUXUEW E-mail: jos@Journal of Software ©中国科学院软件研究所版权所有. Tel/Fax: +86-10-62562563随机谕言模型∗贾小英, 李 宝, 刘亚敏+(中国科学院 研究生院 信息安全国家重点实验室,北京 100049)Random Oracle ModelJIA Xiao-Ying, LI Bao, LIU Ya-Min +(State Key Laboratory of Information Security, Graduate University, The Chinese Academy of Sciences, Being 100049, China)+ Corresponding author: E-mail: ymliu@, Jia XY, Li B, Liu YM. Random oracle model. Journal of Software /1000-9825/4092.htmAbstract : In this paper we give a survey of the random oracle model, which is an important tool in provablesecurity. We introduce the random oracle model on several aspects, including its origin and development, basicproperties and methodology, representative schemes, plaintext awareness, random oracle instantiation, theuninstantiable properties and related negative results, and the research of weakened random oracle models. Besides,other ideal models are compared with the random oracle model, and construction of encryption schemes in thestandard model is also referred.Key words : public-key cryptography; provable security; random oracle model; random oracle instantiation;uninstantiability of random oracle; weakened random oracle model摘 要: 介绍了可证明安全理论中的重要工具——随机谕言模型,包括随机谕言模型的起源、基本性质和方法、随机谕言模型中的代表方案、明文知晓性质、随机谕言的实例化、随机谕言不可实例化的性质和相关负面结论以及对弱化的随机谕言模型的研究.还比较了随机谕言模型和其他的理想模型,并简介了标准模型中的方案设计状况.关键词: 公钥密码学;可证明安全;随机谕言模型;随机谕言实例化;随机谕言的不可实例化性质;弱化的随机谕言模型中图法分类号: TP316 文献标识码: A随机谕言模型(random oracle model,简称ROM)[1],亦可翻译为随机谕示模型,随机预言模型或随机预言机模型等,是可证明安全理论中的重要工具.可证明安全是指将密码方案的安全性归约为某些问题的难解性(intractability),从而使方案的安全性有具体的度量标准的理论和方法.自Goldwasser 和Micali 建立可证明安全理论以来[2,45],寻找高效率并且可证明安全的方案就成为公钥密码学领域的首要问题.起初的安全性证明模型中只有对某些数学问题的难解性假设,而没有对密码学原语的理想化假设.这种模型称为标准模型(standard model),并被认为是最接近现实状况的模型.然而,最初在标准模型中设计的具有可证∗ 基金项目: 国家自然科学基金(61070171); 国家重点基础研究发展规划(973)(2007CB311201)收稿时间: 2010-10-15; 定稿时间: 2011-07-08; jos 在线出版时间: 2011-09-09网络出版时间：2011-09-09 13:54网络出版地址：/kcms/detail/11.2560.TP.20110909.1354.003.html2 Journal of Software软件学报明安全性的密码方案的效率并不理想.为了提高效率,理想化的随机谕言模型成为平衡效率和安全性的一种方式,也成为可证明安全领域的一大争议问题:一方面是层出不穷的在随机谕言模型下设计的密码协议,另一方面是对随机谕言模型特殊性质的探讨和各种负面结论.因此,对随机谕言模型的研究已经成为可证明安全领域的重要部分.本文将介绍随机谕言模型的起源与发展、基本性质与方法、应用实例以及关于随机谕言模型的热点研究问题.此外,1 随机谕言模型1.1 起源1986年,Fiat和.图1.给定如图1(hash function)h FS来是(α,β,γ).Fiat-Shamir发送者S(sk,pkFig.1图1在证明谕言.自此,1.2 基本性质和方法随机谕言模型中假设协议各方都能够访问一个公开的随机函数,即“随机谕言”.随机谕言必须满足如下基本性质:1) 确定性:对于相同的谕言询问q,总是给出相同的回答;2) 有效性:对于任意随机谕言询问q,总是在多项式时间内给出回答;3) 随机性:谕言的输出分布均匀随机.应用随机谕言方法构造密码方案则包括以下步骤:1) 在随机谕言模型中构造方案,并建立方案的安全性;2) 用合适的函数代替方案中使用的随机谕言,即随机谕言的实例化.由于随机谕言的输出熵大于它的输入熵,即,它的确定性和随机性要求是矛盾的,这一点表明随机谕言只是理想存在的原语[46].因此,随机谕言模型中建立的方案安全性并不等同于实例化之后的方案实际安全性,这一点也成为随机谕言模型受到质疑的原因.在随机谕言模型中证明方案的安全性时,需要模拟随机谕言.这一点通常使用“查表法”来实现,即,保持一个动态增长的列表L.对于询问q,首先在L中查找是否已有项(q,y)存在.如果是,则输出y作为回答;否则,均匀随机贾小英 等:随机谕言模型 3 地选择y ,输出y ,并将(q ,y )添加到表L 中.这种模拟方法得到的随机谕言完全满足它的3种基本性质,并且能够简化方案的安全性证明.2 随机谕言模型中的方案和概念随机谕言模型自提出以来便成为构造高效率密码方案的重要工具,并且一些密码概念都是先在随机谕言模型下构造出可行的方案,再在标准模型中实现.可以说,随机谕言模型也是方案构造的一个“实验台”.本节将介绍两个成功的随机谕言模型方案,即f -OAEP 公钥加密方案[5]和Fujisaki-Okamoto 变换[6],以及起源于随机谕言模型的安全概念、明文知晓性质[5].2.1 f -OAEP 方案1994年,Bellare 和Rogaway 在随机谕言模型下构造了具有密文比特最优性质的公钥加密方案,f -OAEP 方案.随后,RSA-OAEP,即f 为RSA 函数时得到的公钥加密方案,成为PKCS#1 V2.0中的加密标准.2.1.1 方案描述约定方案的安全参数为1k ,k 0,k 1,n 为正整数.01:{0,1}{0,1}k n k G +a 和是随机谕言,F 是一 01:{0,1}{0,1}k n k H +a 个陷门置换生成器.1) 密钥生成:运行F (1k )得到(f ,f −1).f 是公钥,f −1是私钥;2) 加密:f -OAEP 方案首先使用随机谕言G 和H 对明文消息m 进行填充变换,即OAEP 变换(optimal asymmetric encryption padding).OAEP 算法是一个不对称的两轮Feistel 结构,其中,随机谕言G 和H 的作用与 Feistel 结构中的轮函数类似.对于消息m ∈{0,1}n ,均匀随机地选择随机数,并计算:0{0,1}k r ∈1||0(),(),||.k s m G r t r H s u s =⊕=⊕=t将填充后的消息u 应用单向陷门置换f ,便得到密文y =f (u ).3) 解密:对于密文y ,首先计算u =f −1(y ).将u 解析为s ||t ,并计算:ˆ(),().r t H s ms G r =⊕=⊕ 将解析为m ∈{0,1}ˆmn 和,若z 是全0串,则表示y 是合法密文,输出明文m ;否则,输出错误符号⊥. 0{0,1}k z ∈2.1.2 效率和安全性f -OAEP 方案的主要开销为f 函数的计算.与f 函数的计算开销相比,算法中的消息填充、随机谕言询问以及异或运算的开销微乎其微.因此,f -OAEP 计算上具有高效率.此外,f -OAEP 方案中的明密文长度之比,较之此前的其他加密方案也是最优的.f -OAEP 方案的安全性证明却是一波三折.起初在提出f -OAEP 时,Bellare 和Rogaway 声称对于任何单向陷门置换f ,f -OAEP 在随机谕言模型中都能达到IND-CCA2安全.然而2001年,Shoup 指出[7],若仅要求f 具有单向性还无法保证f -OAEP 的IND-CCA2安全性,并给出了若f 具有异或可延展性质(XOR-malleability)则f -OAEP 无法达到IND-CCA2安全性的证明.幸运的是,Fujisaki 等人发现,若f 具有部分定义域单向性(partial domain one- wayness),则f -OAEP 在随机谕言模型下仍然能够达到IND-CCA2安全性[8].而RSA 函数便具有这种性质,因此RSA-OAEP 在随机谕言模型下仍然是IND-CCA2安全的.2.2 Fujisaki -Okamoto 变换1999年,Fujisaki 和Okamoto 提出了一种利用随机谕言将具有弱安全性的公钥加密方案转化为具有强安全性的公钥加密方案的变换方法[6],称为Fujisaki-Okamoto 变换(FO 变换).以下介绍FO 变换的一个简化形式.2.2.1 方案描述和安全性令E pk 为一个概率公钥加密方案,G ,H 是两个随机谕言.对E pk 应用FO 变换,可以得到一个混合形式的公钥加密方案.hy hy pkpk E E 的密钥生成算法与E pk 的密钥生成算法相同一样,在加密时,对于消息m ,hy pk E 选择随机数σ并计算: ()(;(,))||().hy pk pk m H m G σσσ=⊕E E m4 Journal of Software软件学报对于密文y=(C,U),其中,C是密文中来自E pk加密的部分,U是随机谕言G的对应值和明文的异或部分.使用E pk 的私钥便可对C密文解密得到σ,再计算m=U⊕G(σ)并验证是否有C=E pk(σ;H(σ;m)):如果是,则输出明文m; 否则,输出错误符号⊥.E的公钥加密在随机谕言模型下便能只要公钥加密方案E pk具有IND-CPA安全性,经过FO变换后得到的hypk达到IND-CCA2安全.而具有IND-CPA安全性的公钥加密方案比具有IND-CCA2安全性的方案容易构造,因此FO变换可以方便地将弱安全的公钥加密方案转化为强安全的公钥加密方案.FO变换的一个著名应用便是Boneh-Franklin的基于身份的加密方案(BF-IBE方案)[9].自1984年Shamir提出基于身份的加密方案(identity-based encryption,简称IBE)的构想以来[10],构造高效率IBE方案的问题一直悬而未决;直到2001年,Boneh和Franklin利用Weil对子(Weil pairing)和FO变换构造了在随机谕言模型下达到IND-ID-CCA2安全的BF IBE方案.BF IBE方案是第一个现实的IBE方案,并且已经进入2009年公布的IEEE P1363.3关于基于身份的公钥密码协议的标准草案中.2.3 明文知晓性(plaintext awareness)在随机谕言模型中产生的不只是高效率的密码方案,还有新的安全概念.明文知晓性便是起源于随机谕言模型然后被推广到标准模型下的一个强安全性概念.明文知晓性是1994年Bellare和Rogaway为了方便证明f-OAEP方案的IND-CCA2安全性而提出的,它的直观含义是指,如果敌手产生了一个有效密文,则它一定已经知道对应的明文,这样,CCA模型中的解密谕言对敌手就没有用处了.随后,Bellare等人又细化了明文知晓性的概念,为敌手增加了窃听密文的能力[11],将概念推广到标准模型下,并细分为PA0,PA1,PA2等不同难度等级[12]. PA0,PA1,PA2与标准的安全性定义存在对应关系,即IND-CPA+PA0⇒IND-CPA,IND-CPA+PA1⇒IND-CCA1, IND-CPA+PA2⇒IND-CCA2.为了使PA在随机谕言模型和标准模型中的定义兼容,Bellare和Palacio推荐将随机谕言模型中的PA定义也区分成PA0-RO,PA1-RO和PA2-RO.以下是PA1-RO和PA2-RO的定义,其中的敌手A称为密文生成器,解密模拟器A*称为明文提取器.定义1(PA1-RO). 一个公钥加密方案,如果对任意密文生成器A都存在明文提取器A*,只给定公钥和A的随机谕言询问列表R[A],A*与真实解密算法的输出分布不可区分,则称此方案满足PA1.PA0的定义与PA1相似,只是在PA0中,敌手A只被允许询问一次明文提取器A*,而在PA1中,A可以向A* 发送多项式次解密询问.PA1中的敌手并没有窃听密文的能力.在PA2中增加了明文生成器P用以刻画A的窃听密文能力,也就是说, P能够为A提供A不知道对应明文的密文.A从P得到的密文存放在密文列表CLIST中.A不允许用CLIST中的密文询问A*.定义2(PA2-RO). 一个公钥加密方案,如果对访问任意明文生成器P的任意密文生成器A都存在明文提取器A*,只给定公钥和A的随机谕言询问列表R[A]以及密文列表CLIST,A*与真实解密算法的输出分布不可区分, 则称此方案满足PA2.标准模型中没有随机谕言询问,因而在标准模型的明文知晓性定义中,R[A]是A的随机数列表.实际上,标准模型中的明文知晓性比IND-CCA2安全性更难证明.但是,对标准模型中的明文知晓性的研究仍然是可证明安全中有趣的研究方向,因为它还有着实际应用的需求.例如,Raimondo等人发现,SKEME密钥交换协议的可否认性的证明就需要使用加密方案的明文知晓性[13].3 随机谕言实例化随机谕言的基本性质中的确定性和随机性是矛盾的,因此随机谕言只是理想化的原语,实际计算时需要用现实函数来替代.随机谕言的实例化就是指在实际应用中用合适的杂凑函数的计算来代替对随机谕言的访问.究竟采用具有何种性质的杂凑函数来实例化随机谕言,才能够使在随机谕言模型下安全的方案在标准模型中贾小英 等:随机谕言模型 5 也能建立起至少经得起现实考验的安全性,是研究随机谕言模型的一个热点方向.本节将介绍一些用于实例化随机谕言的密码学原语以及对f -OAEP 的实例化结论.3.1 完美单向杂凑函数1997年,Canetti 提出了用于随机谕言实例化的谕言杂凑技术(oracle hashing)[14].之后在1998年,Canetti 等人为其更名为完美单向杂凑函数(perfectly one-way hash function,简称POWHF)[15].完美单向杂凑函数是一类概率杂凑函数,它能够隐藏关于其自变量的所有部分信息,并且具有完整性、抗碰撞性与完美单向性.以下是完美单向杂凑函数的形式化定义.定义3(完美单向杂凑函数). 约定安全参数为1k .算法H 为对于输入x 和随机数r ∈R k ,返回杂凑值y .算法V 能够有效地验证y 是否是输入x 的杂凑值,并输出一个判定比特.如果满足如下性质,则函数对(H ,V )被称为完美 单向杂凑函数:I. 完整性:对所有足够大的k ,任意r ∈R k 和任意输入x ,有V (x ,H (x ,r ))=1;II. 抗碰撞性:对任意概率多项式时间的敌手A ,令(x ,x ′y )←A (1k ),那么以下概率Pr [V (x ,y )=1∧V (x ′,y )=1∧x ≠x ′]是可忽略的.III. 完美单向性:对任意概率多项式时间的敌手A ,有,((,)),((,))c x x r x x r ′〈〉=〈〉A H A H ,x 的杂凑值与x ′的杂凑值计算不可区分,即H (x ,r )隐藏了x 的所有部分信息.3.1.1 强完美单向杂凑函数在实例化随机谕言时,通常需要杂凑函数具有强完美单向性,即对于不可逆函数f ,有,((),(,)),((),(,)).c x f x x r x f x x r ′〈〉=〈〉A H A H使用强完美单向杂凑函数实例化随机谕言,已经出现了一些正面结论.例如此前所述的Bellare 和Rogaway 的在随机谕言模型下达到IND-CPA 安全性的加密方案[1],E pk (m ;r )=f (r )||G (r )⊕m ,用关于f 的强完美单向杂凑函数 代替G 后,该方案仍然保持IND-CPA 安全性[14].此外,Boldyreva 和Fischilin 证明了用强完美单向杂凑函数实例化Fujisaki-Okamoto 变换中的任意一个随机谕言,所得到的部分实例化后的方案在随机谕言模型中仍然保持安全性[16].但是,Fujisaki-Okamoto 变换的完全实例化仍然是一个开放问题.3.1.2 完美单向杂凑函数的构造Canetti 等人提出了几个构造(强)完美单向杂凑函数的方法[14,15].由于完美单向杂凑函数要求杂凑值可验证,因此计算杂凑值所使用的随机数通常是公开的,这种“公开随机数”的方法在目前的随机谕言实例化结论中普遍使用.以下是Canetti 等人提出的两种(强)完美单向杂凑函数的构造:构造1:H (x ,r )=(r ,r h (x )),其中,h 是一个抗碰撞的杂凑函数.令G 为模p 的q 阶子群,g ∈G .H 的完整性很明显,其抗碰撞性质基于h 的抗碰撞性质.在判定性Diffie-Hellman(DDH)假设下(即对于有*,,,q a b c c ab ∈≠Z (,,)(,,)ca b ab a b c g g g g g g =),可以将区分 (r ,r h (x ))和(r ,r h (x ′))的问题归约为区分(g a ,g b ,g ab )和(g a ,g b ,g c )问题,从而证明H 的完美单向性质.此外,类似地,基于更 强的假设((),,)((),,)cb ab bc f a g g f a g g =,可以归约证明H 的强完美单向性质.构造2:,其中,f (,)(,())l l H x r r f r =x l (⋅)来自于一个抗碰撞的伪随机函数部落(){}{{}}n n t t T n N F ∈∈.H l 的完整性是明 显的,H l 的抗碰撞性质来自于f l (⋅)的抗碰撞,H l 的完美单向性来自于f l (⋅)的伪随机性质.因此,H l 是完美单向杂凑函数.3.2 增强的完美单向杂凑函数此后的文献中也提出了一些强原语,这些强原语的性质可以增强完美单向杂凑函数的性质.下面介绍自适应完美单向杂凑函数[17]和可提取的完美单向杂凑函数[18].6 Journal of Software软件学报3.2.1 自适应完美单向杂凑函数2008年,Pandey,Pass和Vaikuntanathan提出了自适应单向函数的概念[17].给定一个族函数F n={f tag:{0,1}n a{0,1}n},其中,tag是函数f tag的下标.如果对于每个tag和随机的r,即使敌手能够访问tag′≠tag的其他函数f tag′的求逆谕言,f tag(r)都难以求逆,则称函数族F n是自适应单向的.将自适应性质加诸完美单向杂凑函数,得到的强原语、自适应的完美单向杂凑函数,可以适用于更复杂的随机谕言模型方案的实例化.例如Bellare和Rogaway于1993年提出的在随机谕言模型下达到IND-CCA2安全性的加密方案[1],E pk(m;r)=f(r)||G(r)⊕m||H(m||r),若G,H均用自适应的强完美单向杂凑函数实例化,则该方案仍然保持IND-CCA2安全性.3.2.2 可提取的完美单向杂凑函数可提取的完美单向函数是Canetti和Dakdouk于2008年提出的又一个强原语[18].由于随机谕言本身具有可提取性质,即,如果有一种算法知道函数值,则说明它已经知道原像.这种性质使得随机谕言模型下的安全性证明十分便利.如果用具有可提取性质的函数来实例化随机谕言,则原来在随机谕言模型中的证明可以直接移植过来,加密方案E pk(m;r)=f(r)||G(r)⊕m||H(m||r)中的随机谕言G,H也可以用可提取的强完美单向杂凑函数安全地实例化.Canetti和Dakdouk给出了一些基于强假设构造可提取的单向函数的方法[18],但是可提取的(强)完美单向杂凑函数的构造仍然是未知的.如果能构造出可提取的(强)完美单向杂凑函数,即使是基于强假设,也将是随机谕言实例化问题的重要进展.3.3 对OAEP的实例化f-OAEP是随机谕言模型中最成功的方案之一.虽然Bellare和Rogaway推荐基于SHA和MD5杂凑函数来构造f-OAEP 方案中的两个随机谕言G,H的替代函数,并且在PKCS#1 V2.1标准中也类似地推荐了MD系列和SHA系列的杂凑函数来构造对G,H的替代,但是这种替代的安全性仅仅基于“经验”,并没有得到严格证明.因此,从可证明安全的角度研究对f-OAEP方案的实例化意义重大.以下介绍一些对f-OAEP方案实例化的已有结论.2005年,Boldyreva和Fischilin证明了OAEP中的两个随机谕言G,H都不能用强完美单向杂凑函数来实例化[16].随后在2006年,Boldyreva和Fischilin细致分析了OAEP中的随机谕言对方案的安全性所起的作用,并为f-OAEP方案的部分实例化“定制”了具有某些特定性质的杂凑函数[19].适合随机谕言G的是近似抗碰撞的伪随机生成器(near-collision resistant pseudorandom generator,简称NCRPRG).用NCRPRG实例化G后得到的方案在随机谕言模型中保持了IND-CCA2安全性;适合随机谕言H的是不可延展的伪随机生成器(non-malleable pseudorandom generator,简称NMPRG),用NMPRG实例化H后得到的方案在随机谕言模型中是NM-CPA安全的.如果同时实例化G,H,则得到的完全实例化的f-OAEP方案在标准模型中是$NM-CPA安全的.由于$NM-CPA是NM-CPA的较弱的变形,并非标准的安全性定义,因此Boldyreva和Fischilin提出了一个开放问题,即,能否使f-OAEP的完全实例化满足一个标准的安全性定义.2010年,Kiltz,O’Neil和Smith解决了这个开放问题,证明了f-OAEP可以满足标准的IND-CPA安全性定义[20].这是对f-OAEP实例化的最新正面结论.4 随机谕言的不可实例化性质如果说对随机谕言模型实例化的研究表现出对随机谕言方法的支持,那么反对随机谕言方法的声音主要表现在对随机谕言的不可实例化性质的研究上.虽然在随机谕言模型中构造的密码方案具有高效率,但是在随机谕言模型中的安全性证明并不能保证方案的实际安全性,这是因为随机谕言模型的一些理想化的性质是现实的原语都不具有的.以下介绍一些关于随机谕言模型的负面结果.4.1 相关难解性质1998年,Canetti,Halevi和Goldreich首次构造了在随机谕言模型中安全但是在标准模型中却无法安全实例贾小英 等:随机谕言模型7化的方案[21].这种方案的存在,正是由于随机谕言独特的相关难解性质(correlation intractability).为了刻画相关难解性质,Canetti 等人首先定义了模糊二元关系(evasive binary relation)的概念: 定义4(模糊二元关系). 给定一个二元关系R ,如果对于任何概率多项式时间的谕言机M ,以下概率Pr[(1),(,())]k x x x R ←O M O ∈]∈可忽略,则称R 为模糊二元关系,其中,O 是随机谕言.由于随机谕言O 的输出分布均匀随机,因此O (x )与x 之间并不存在明显的非平凡关系,故而模糊二元关系很 容易找到.相关难解性正是随机谕言的理想随机性的体现.定义5(相关难解性). 给定一个函数f :{0,1}*a {0,1}poly (k ),其函数描述为s .如果对于任意模糊二元关系R 以及任意概率多项式时间图灵机M ,以下概率可忽略,则称f 具有相关难解性. {0,1}[(),(,())k s Pr x s x f x R ∈←M 函数的变量和自变量之间的映射关系由其描述决定.随机谕言的描述一般被视为多项式时间内不可计算的,而现实中使用的函数,其描述都是公开的并且是多项式时间内可计算的.因此,总是能够根据其描述构造出 一个模糊二元关系R ,使得(x ,f (x ))∈R ,例如关系,其中,{(,()):{0,1}}k s kR s f s s =∈U F *{0,1}{}s s f ∈=F 是所有下标为s 的函数的集合.故而,现实中的函数都不具备相关难解性.利用这一点,Canetti,Halevi 和Goldreich 能够从任意安全的签名方案构造在随机谕言模型下安全,但是用任 意现实中使用的函数都无法安全实例化的签名方案[20].给定一个能够抵抗存在性伪造攻击的签名方案S =(G ,S ,V ),可以构造随机谕言模型中的关于模糊二元关系R 的签名方案如下,其中,O 是随机谕言:(,,)R R R S =O O G S V O 1) 签名算法R O S :(,), (,())(,).(,), (,())R sk m m m R sk m sk m m m R∈⎧=⎨∉⎩O O S S O 2) 验证算法R O V :, (,())(,,).(,,), (,())R m m R vk m vk m m m Rσσ∈⎧=⎨∉⎩接受O O V V O 可以看出,在随机谕言模型下,签名方案的安全性仍然与方案S =(G ,S ,V )一样,因为(m ,O (m ))∈R 的概率可忽略.然而当O 被描述为s 的现实函数f (,,)R R R S =O O G S V O s 替代时,很容易构造关系R 使得(m ,f s (m ))∈R ,从而 使方案输出其签名密钥.4.2 其他负面结论2002年,Nielsen 指出[22],在随机谕言模型中很容易构造的一类密码方案——非交互非承诺的加密方案(non-interactive non-committing encryption,简称NINCE),在标准模型中是无法构造的.这是由于随机谕言模型具有的理想可编程性质(ideal programmability),现实函数并不具有.简而言之,随机谕言模型的理想可编程性质是指它在某些点的值可以预先设置而不被察觉.与相关难解性一样,理想可编程性质也是随机谕言的随机性的体现,它与相关难解性之间的关系很可能是等价的.验证这一点将是一个有趣的问题,有助于理解随机谕言模型的基本性质.探讨现实中的原语的可编程性质也是有意义的问题,如2008年,Hofheinz 和Kiltz 还尝试了在标准模型中构造具有可编程性质的杂凑函数[23].2003年,Goldwasser 和Taumann 对Fiat-Shamir 变换[4]的分析类似于Canetti 等人的结论.Goldwasser 和Taumann 证明,对于某些三轮身份验证协议,应用Fiat-Shamir 变换可以得到在随机谕言模型下可证明安全,但是无法安全实例化的签名方案.2004年,Bellare 等人研究了公钥密码学当前的一个热点研究方向——密钥封装机制(key encapsulation mechanism,简称KEM)的构造,并证明了同时具有密钥可验证性质,密文可验证性质以及IND-CCA 保持性质的KEM 只能在随机谕言模型中存在[24].Bellare 等人的结论与此前的负面结论大不一样,因为他们的着眼点不在于现实中的函数不具备随机谕言模型的理想随机性,而在于随机谕言的公开可访问性质并非总是存在.即,两个随机谕言模型中的密码系统,它们各自使用的随机谕言是独立的,并不能在这两个密码系统分别的参与方之间共8 Journal of Software软件学报享.而现实中的函数的描述总是公开的,因此不具有这种性质.2004年,Maurer,Renner和Holenstein研究了密码系统之间的可归约性[25].他们将两个密码系统的不可区分性质一般化成不可分辨性质(indifferentiability),并重新定义了可归约性.若A和B不可分辨,则将系统C(B)中的组件B替换成A后,C(B)的安全性并不受影响;而系统U能够归约为系统V,是指从V可以构造与U不可分辨的系统B(V).Maurer等人证明了随机谕言不能归约为一个较弱的原语:异步信标(asynchronous beacon),而异步信标亦不能归约为有限长度的随机串.这说明存在随机谕言模型中的密码系统,其中的随机谕言并不能用现实中的函数来替代.Maurer等人关于随机谕言模型的负面结论并不针对具体的密码方案和构造,并蕴涵了此前Canetti等人的结论[21].虽然以上这些负面结论已经触及了一些现实的密码学目标,如KEM的构造等,但是尚未涉及像RSA-OAEP 这种已经成为加密标准的方案.然而在2006年,Brown提出,实例化RSA-OAEP中的随机谕言后,可能无法将其IND-CCA2安全性归约为RSA的单向性[26].2009年,Kiltz和Pietrzak对基于填充的加密方案的随机谕言实例化给出了一个负面结论[27].基于填充的加密方案(padding-based encryption)是指,像f-OAEP这种首先用一个公开的单射变换π(如OAEP)对明文消息和随机数进行填充变换,再对变换结果应用陷门置换f的加密方案.Kiltz和Pietrzak 证明,即使假设理想的陷门置换存在,基于填充的加密方案的IND-CCA2安全性,甚至IND-CCA1安全性,都无法黑箱归约到f的“理想单向性”.但是,Kiltz和Pietrzak的结论也没有排除用非黑箱归约的方法建立f-OAEP在标准模型中的安全性的可能.如果说大部分关于随机谕言模型实例化的负面结论在直观上可以归咎于真实杂凑函数并不具有随机谕言的理想随机性,那么2009年,Leurent和Nguyen的实例化负面结论则可以归咎于真实杂凑函数不那么理想的抗碰撞性.Leurent和Nguyen的分析更为精细[28],在他们的结论中,此前多种随机谕言实例化建议,例如Bellare和Rogaway早期关于随机谕言模型的文献中所提出的方法[1,5],都是不安全的.综合对随机谕言模型的实例化和不可实例化结论看来,随机谕言模型实例化进展甚微而困难重重,是一个极具挑战性的研究方向.目前的情形是,实例化方法大多效率不高,并且在完全实例化的情形下,大都不能保持在随机谕言模型中建立的安全性;而对随机谕言不可实例化性质的研究,虽然结论众多,但是也大都停留在定义层面,并没有产生对一般随机谕言模型中的方案的现实攻击.5 弱化的随机谕言模型随机谕言模型中的假设过于强大,使得它在密码方案的证明中几乎具有无所不能的性质.如果能够弱化随机谕言模型,那么在弱化的模型中建立的安全性可能会更加接近方案的实际安全性.因此,近年来对弱化随机谕言模型的研究也逐渐成为热点.下面给出简单介绍.5.1 弱化的随机谕言模型(weakened random oracle model)Liskov在2006年提出了弱理想压缩函数(weak ideal compression function)的概念,并基于弱理想压缩函数构造了与理想杂凑函数不可分辨的杂凑函数[29].弱理想压缩函数是带攻击谕言的随机谕言,以下描述了弱理想压缩函数的一些常见弱点:1) 碰撞易解(collision tractable);2) 第二原像易解(second pre-image tractable);3) 原像易解(first pre-image tractable).弱化的随机谕言模型便是指带有相应的攻击谕言的随机谕言模型,例如碰撞易解的随机谕言模型(CT-ROM)、第二原像易解的随机谕言模型(SPT-ROM)和原像易解的随机谕言模型(FPT-ROM).它们的强度依次减弱,FPT-ROM中的安全性蕴涵SPT-ROM中的安全性.2010年,Kawachi等人在弱化的随机谕言模型中分析了f-OAEP和Fujisaki-Okamoto转换在这些弱化的随机谕言模型中的安全性[30],并得到如下结论:。

文章编号:16711742(2011)02014906一个基于身份和双线性对的多签名方案陈泗盛1,许力2(1.福建师范大学福清分校数学与计算机科学系,福建福清350300;2.福建师范大学网络安全与密码技术实验室,福建福州350007)摘要:针对已提出的多签名方案不适用于基于双线性对的身份密码系统的情况,分析了一些特定应用环境对多签名思想和身份密钥系统的有着共同的需求,在Hess 等人提出的数字签名方案的基础上,运用Harn 等人构造多签名的方法构造出了一个适用于身份密码系统的基于身份和双线性对的多签名方案。

并通过相关定理给出方案的正确性和安全性分析。

关键词:信息安全;数字签名;多签名方案;身份;双线性对中图分类号:TP393文献标识码:A收稿日期3基金项目国家自然科学基金资助项目(6)1引言数字多签名方案是允许多个签名者对同一消息共同签名,生成单一固定大小的签名数据,使验证者可以像一般的数字签名方案一样确认签名有效性的一类签名方案。

1994年Harn 等提出了一个基于离散对数问题的多签名方案[1],正式的定义是在文献[2]中给出的。

近年来,多签名方案的研究越来越受关注[1-5],但现有的研究大多关注于基于身份的多签名方案。

论文将从两个方面考虑提出一个基于身份和双线性对的多签名方案。

一方面,数字多签名的思想类似于门限签名方案,在门限签名方案中,一个签名结果是由一组签名者共同参与产生的,参与者的个数要大于或者等于预先设定的门限。

但是二者存在着区别,多签名方案和门限或者组签名的最大区别就是,后者的签名者是预先选定好的,在应用过程中签名者群组是无法更改的;而在多签名方案应用中,签名者组可以由任意的签名者动态组成。

另一方面,由于多签名方案可以将多个签名者对同一消息生成的多个签名变为一个固定长度的签名数据进行保存,而无须将每个签名者生成的签名单独保存;在验证的时候,只需验证一次便可确认多个签名者对同一消息进行了签名。

2010年4月刊算法语言信息与电脑China Computer&Communication一、引言图像拼接(Image Stitching)技术是由于摄像设备的视角限制，不可能一次拍出很大图片而产生的。

图像拼接技术可以解决由于相机等成像仪器的视角和大小的局限，不可能一次拍出很大图片而产生的问题。

它利用计算机进行自动匹配，合成一幅宽角度图片，因而在实际使用中具有很广泛的用途，同时对它的研究也推动了图像处理有关的算法研究。

图1 图像拼接流程图图像拼接技术的基本流程如图1-1所示，首先获取待拼接的图像，然后是图像配准和图像融合，最终得到拼接图。

图像拼接技术主要包括两个关键环节，即图像配准和图像融合。

图像配准主要指对参考图像和待拼接图像中的匹配信息进行提取，在提取出的信息后寻找图像间的变换模型，然后由待拼接图像经变换模型向参考图像进行对齐，变换后图像的坐标将不再是整数，这就涉及到重采样与插值的技术。

图像拼接的成功与否主要是图像的配准。

待拼接的图像之间，可能存在平移、旋转、缩放等多种变换或者大面积的同色区域等很难匹配的情况，一个好的图像配准算法应该能够在各种情况下准确找到图像间的对应信息，将图像进行匹配。

图像融合的任务就是把配准后的两幅图像根据对准的位置合并为一幅图像。

由于两幅相邻图像之间存在重叠区域，因此，采用配准算法可以实现图像的对齐。

然而图像拼接的目的是要得到一幅无缝的拼接图像[1]。

所谓无缝，就是说在图像拼接结果中，不应该看到两幅图像在拼接过程中留下的痕迹，即不能出现图像拼接缝隙。

由于进行拼接的两幅图像并不是在同一时刻采集的，因此，它们不可避免地会受到各种不定因素的影响。

由于这些无法控制的因素的存在，如果在图像整合过程结束之后，只是根据该过程中所得到的两幅相邻图像之间的重叠区域信息，将两幅图像简单的叠加起来，那么，在它们的结合部位必然会产生清晰的拼接缝隙，这也就达不到图像拼接所要求的无缝的要求。

如何架设安全稳定的无线局域网摘要：无线网络的发展给人们的工作和生活带来了诸多的便利，其日益突显的安全问题也越来越多。

针对无线局域网的特点，分析其安全隐患，并给出相应对策。

关键词：无线局域网网络安全对策1 概述wlan最初是有线局域网络的扩展，但在其应用范围越来越广的情况下，wlan正在不断地向“公共无线局域网”方向发展，成为国际互联网internet宽带接入手段。

wlan具有很多的优点，如易安装、易扩展、易维护、保密性强、抗干扰等。

2 无线局域网安全隐患在无线局域网的信号覆盖范围内，任何装有wifi客户端软件的设备都可以接收到信号。

一些安全协议，如wep、wpa，可以被轻易删改。

无线安全要求应该包括：是否具有用户接入验证、数据加密处理、经认证的安全技术(如ipsec/ssl vpn)，以及是否支持相应的802.11标准。

其安全隐患主要表现在：2.1 信息易受窃取 wlan进行通信时，采用的是2.4ghz范围的无线电波，而且具有开放的信道，窃听者要想得到一些有用的信息，一些相关数据，或者是分析相关数据，仅需要带无线网卡的客户机或无线扫描器。

2.2 认证密钥易被破解由于无线加密协议(wep，wap，wap2)等都可以利用市售的破解工具，短时间内破解无线密码，进而达到非法使用网络的目的。

2.3 拒绝服务攻击拒绝服务攻击不是窃取信息，而是使用户无法访问网络服务。

黑客只要设置一个信号发生器，使射频干扰信号达到一定要求，使合法业务流无法到达接入点，客户端的用户无法发现信号源，这样无线网卡就会停止工作．另外，由于无线局域网的带宽是有限的，黑客可以在带宽上产生大量没用的数据包，一点点耗尽网络资源，最终使无线局域网彻底的不能再运行。

2.4 mac地址欺骗一个或多个无线ap可以通过mac地址来识别一个客户端用户。

ap中有一个mac地址列表，它能够记录下访问本ap的客户端网卡mac地址，用户如果没有在本ap的mac地址列表中出现，就无法访问该ap。

本栏目责任编辑：代影网络通讯及安全Apache Shiro 框架在Web 系统的安全应用研究梁清华，胡安明（广州理工学院，广东广州510540）摘要：Web 系统中中用户授权访问随着互联网技术的不断发展，Web 安全也成为信息系统开发建设过程中的需要重点关注的内容之一。

本文结合Apache Shiro 框架，探讨在Web 系统中如何应用Apache Shiro 框架，来提高系统安全性、健壮性；为信息系统安全性建设提供思路。

关键词：Apache Shiro ；RBAC 模式；信息系统安全中图分类号：TP311文献标识码：A文章编号：1009-3044(2021)06-0052-02开放科学（资源服务）标识码（OSID ）：1引言随着互联网技术的发展，各类信息系统从人们的工作与生活，到国家的经济建设扮演着越来越重要的角色。

如何确保信息系统安全，是信息系统运行的重要基础；因此信息系统安全也是信息系统的重要研究内容。

按Web 信息系统安全策略可分为：DAC 自主式访问控制策略、ACL 访问控制策略、MAC 强制访问控制策略、RBAC 基于角色访问控制策略；其中RBAC 基于角色访问控制策略使用较为广泛。

本文以Web 信息系统中RBAC 基于角色访问控制策略进行研究，探讨使用Apache Shiro 技术下，如何实现基于角色-权限-资源相结合的访问控制方法。

2Apache Shiro 框架Shiro 源自JSecurity 项目，2008年加入Apache 基金会，成为Apache 基金会下的一个基于Java 开源安全开发框架，Shiro 采用模块化设计，具有良好的健壮性和易用性，Apache Shiro 框架提供了身份验证、访问授权、数据加密、会话管理等一系列安全管理模式，能为各类信息系统提供安全解决方案，是目前业界JavaEE 平台广泛使用安全技术框架。

Apache Shiro 框架主要由Authentication 、Authorization 、Session Management Cryptography 四部分组成。

一种新的结构化多重签名方案付春海;彭长根【摘要】基于Boneh,Lynn和Shcham提出的短签名方案(简称BLS签名方案),并利用有向无环图的拓扑排序,构造一种新的结构化多重签名方案,签名的长度和验证的复杂性等同于单个签名者的签名,方案的构造简单且执行效率较高,经分析,能抵抗常见的各种攻击.%Based on the short signature scheme proposed by Boneh, Lynn and Shacham (BLS for short)and topological sorting of directed acyclic graph, a new structured multisignature scheme was proposed. The size and complexity of the multisignature is the same as the signature by single signer. Moreover, the construction of the scheme is simple and the scheme can be im plemented efficiently. We proved that it’s secure against all kinds of attacks.【期刊名称】《贵州大学学报（自然科学版）》【年(卷),期】2011(028)002【总页数】3页(P67-69)【关键词】GDH群;结构化多重签名;签名结构;拓扑排序【作者】付春海;彭长根【作者单位】贵州大学计算机科学与信息学院,贵州贵阳,550025;贵州大学计算机科学与信息学院,贵州贵阳,550025【正文语种】中文【中图分类】TP309.2多重签名，即某一文件需要多个签名者共同签名，多重签名分为有序多重签名和广播多重签名，在有序多重签名中，签名者的顺序称为签名的结构，如果在签名前，签名结构就已知并且在签名过程中不变，称这种多重签名为结构化多重签名。