国密SM2加密算法的RCCA安全设计  被引量：5

作　　者：陈荣茂[1] 王毅[1] 黄欣沂 Rongmao CHEN;Yi WANG;Xinyi HUANG(School of Computer,National University of Defense Technology,Changsha 410073,China;Artificial Intelligence Thrust,Information Hub,Hong Kong University of Science and Technology(Guangzhou),Guangzhou 511466,China)

机构地区：[1]国防科技大学计算机学院,长沙410073 [2]香港科技大学(广州),广州511466

出　　处：《中国科学：信息科学》2023年第2期266-281,共16页Scientia Sinica(Informationis)

基　　金：国家自然科学基金(批准号:62122092,62032005,61702541)资助项目。

摘　　要：国密SM2密码算法已经成为保障我国网络信息系统安全自主可控的关键技术.然而近期研究发现,SM2加密算法在实际部署应用时面临高效的算法替换攻击.该种攻击可以从当前的密文预测下一次加密所使用的随机数,从而可以在不知道解密密钥的情况下成功解密后续密文.密码逆向防火墙技术已被证实可以有效抵抗该种攻击,但其要求密文具有可重随机性,与SM2加密算法本身所具备的CCA(chosen-ciphertext attack)安全性相冲突.针对该问题,本文改进SM2加密算法,构造了具有RCCA(可重放CCA)安全性的公钥加密方案.该方案具有与SM2加密算法近似的安全性,且同时支持密文重随机操作,因此可以有效兼容密码逆向防火墙.方案的设计遵循Phan等提出的OAEP三轮构造范式,结合SM2加密算法进行改进,并在随机预言机模型下给出了严谨的安全证明.本文提出了首个基于国密算法的可重随机RCCA公钥加密方案,研究结果有助于提升SM2密码算法在实际应用中的安全性.SM2 cryptographic algorithms have become vital in achieving independently controllable security for national networks and information systems.However,recent studies have shown that in a real-world implementation,the SM2 encryption algorithm might suffer from effective algorithm substitution attacks,which enable attackers to obtain the randomness used in the next-round encryption from the current ciphertext,and thus could decrypt all the successive ciphertexts without a decryption key.A cryptographic reverse firewall has been considered a useful tool to defend against such an attack by rerandomizing a ciphertext,which,however,is incompatible with the CCA security of the SM2 encryption algorithm.To tackle this problem,this work improves the SM2 encryption algorithm for Replayable-CCA(RCCA)security,which could offer a similar security guarantee as CCA while supporting ciphertext rerandomizability for using cryptographic reverse firewalls.The core idea is to apply the OAEP three-round design paradigm by Phan et al.to the context of the SM2 encryption algorithm and rigorously prove its RCCA security in the random oracle model.The proposed scheme is the first rerandomizable RCCA-secure public-key encryption scheme based on SM serial algorithms and could help enhance the security of the SM2 encryption algorithm in real-world applications.

关 键 词：SM2 加密算法 RCCA 可重随机性 密码逆向防火墙 

分 类 号：TN918.1[电子电信—通信与信息系统]