对Aigis-Enc方案的密钥重用分析  

作　　者：王克 宋非凡 李知行 张振峰[4] 江浩东 谢惠琴 WANG Ke;SONG Fei-Fan;LI Zhi-Xing;ZHANG Zhen-Feng;JIANG Hao-Dong;XIE Hui-Qin(Department of Cryptography and Science Technology,Beijing Electronic Science and Technology Institute,Beijing 100070,China;Key Laboratory of Cryptography of Zhejiang Province,Hangzhou Normal University,Hangzhou 311121,China;AECC Beijing Hangke Engine Control System Science&Technology Co.Ltd.,Beijing 102299,China;Institute of Software,Chinese Academy of Sciences,Beijing 100190,China;Henan Key Laboratory of Network Cryptography Technology,Zhengzhou 450001,China)

机构地区：[1]北京电子科技学院密码科学与技术系,北京100070 [2]杭州师范大学浙江省密码技术重点实验室,杭州311121 [3]中国航发北京航科发动机控制系统科技有限公司,北京102299 [4]中国科学院软件研究所,北京100190 [5]河南省网络密码技术重点实验室,郑州450001

出　　处：《密码学报(中英文)》2025年第1期84-95,共12页Journal of Cryptologic Research

基　　金：中央高校基本科研业务费(3282023002);浙江省密码技术重点实验室开放课题(ZCL21009);北京市自然科学基金(4234084)。

摘　　要：明文检查下的密钥恢复攻击对评估算法的密钥重用安全性至关重要,而Aigis-enc方案作为一种新型的后量子密钥封装机制,目前尚缺乏针对其密钥重用安全性的评估.为此,本文对Aigis-enc方案的密钥重用安全性展开分析,帮助方案明确潜在的风险.Aigis-enc方案由公钥加密方案Aigis-pke通过Fujisaki-Okamoto变换得到,Aigis-enc方案的密钥重用安全性取决于公钥加密方案Aigis-pke.特别地,本文对公钥加密方案Aigis-pke进行明文检查下的密钥恢复攻击,在攻击中,敌手通过询问明文检查预言机判断选择的密文是否可以解密为既定的明文,继而获得私钥的信息.经过多次询问,敌手可以完全恢复出私钥.在评估攻击复杂度时,结合密钥的概率分布,给出了攻击所需的实际询问次数.最后,本文给出应对措施,以在实际中安全应用该方案.The key recovery attack under plaintext checking is crucial for assessing the key reuse security of the algorithms.The Aigis-enc scheme,as a new type of post-quantum key encapsulation mechanism,currently lacks an evaluation of its key reuse security.For this reason,we analyze the key reuse security of the Aigis-enc scheme to help the scheme identify potential risks.The Aigis-enc scheme is derived from the public key encryption scheme Aigis-pke through the Fujisaki-Okamoto transformation.The key reuse security of the Aigis-enc scheme depends on the public key encryption scheme Aigis-pke.Specifically,we present a key recovery attack on the public key encryption scheme Aigis-pke under plaintext check in which the adversary determines whether the selected ciphertext can be decrypted into the given plaintext by querying the plaintext checking oracle,and then obtain the information about the secret key.After multiple queries,the adversary can fully recover the secret key.When evaluating the complexity of the attack,we give the actual number of queries required for the attack considering the probability distribution of the secret key.Finally,we give countermeasures to assure the secure application of the scheme in practice.

关 键 词：后量子密码 格密码 密钥重用 主动攻击 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]