翁 健, 黃欣沂, 何德彪

1. 暨南大學(xué), 廣州510632

2. 福建師范大學(xué) 計(jì)算機(jī)與網(wǎng)絡(luò)空間安全學(xué)院, 福州350117

3. 武漢大學(xué) 國(guó)家網(wǎng)絡(luò)安全學(xué)院, 武漢430072

密碼是國(guó)家的重要戰(zhàn)略資源, 直接關(guān)系國(guó)家政治安全、經(jīng)濟(jì)安全、國(guó)防安全和信息安全. 根據(jù)2020 年1 月1 日正式施行的《中華人民共和國(guó)密碼法》, 密碼分為核心密碼、普通密碼和商用密碼. 核心密碼、普通密碼用于保護(hù)國(guó)家秘密信息, 屬于國(guó)家秘密; 商用密碼用于保護(hù)不屬于國(guó)家秘密的信息, 公民、法人和其他組織可以依法使用商用密碼保護(hù)網(wǎng)絡(luò)與信息安全. 由國(guó)家密碼管理局組織, 我國(guó)自主設(shè)計(jì)的基于橢圓曲線公鑰密碼算法SM2、密碼雜湊算法SM3、分組密碼算法SM4、序列密碼算法祖沖之(ZUC)、標(biāo)識(shí)密碼算法SM9 等商用密碼已成為國(guó)家標(biāo)準(zhǔn), 有效保障了國(guó)家網(wǎng)絡(luò)與信息安全.

雖然國(guó)產(chǎn)商用密碼實(shí)現(xiàn)了“從無(wú)到有” 的跨越式發(fā)展, 但其設(shè)計(jì)初衷是滿足網(wǎng)絡(luò)與信息系統(tǒng)的共性基礎(chǔ)安全需求. 隨著信息化進(jìn)程不斷推進(jìn), 越來(lái)越多的敏感服務(wù)開(kāi)始陸續(xù)上線, 衍生出滲漏免疫、匿名認(rèn)證、雙盲認(rèn)證、多人共享、不可誹謗等新型安全需求, 亟需依托已有的國(guó)產(chǎn)商用密碼, 開(kāi)展功能型密碼的研究,為網(wǎng)絡(luò)與信息系統(tǒng)繼續(xù)提供有效的安全服務(wù).

本期《密碼學(xué)報(bào)》組織“國(guó)產(chǎn)商用公鑰密碼” 專欄, 主要針對(duì)國(guó)產(chǎn)商用密碼中的SM2、SM9 等公鑰密碼算法, 根據(jù)網(wǎng)絡(luò)與信息系統(tǒng)的新型安全需求, 結(jié)合其發(fā)展現(xiàn)狀, 小規(guī)模地展示我國(guó)學(xué)者近期在該領(lǐng)域的研究進(jìn)展. 本專欄共收錄4 篇論文, 分別簡(jiǎn)介如下:

論文《SM2 密碼算法密鑰滲漏分析》, 針對(duì)國(guó)產(chǎn)商用密碼算法使用過(guò)程中易遭受一系列不同動(dòng)機(jī)的分析和攻擊問(wèn)題, 選取SM2 數(shù)字簽名算法和公鑰加密算法作為分析對(duì)象, 提出兩種高效難檢測(cè)的密鑰滲漏攻擊: (1) 針對(duì)SM2 數(shù)字簽名算法, 密鑰滲漏攻擊者能夠根據(jù)兩個(gè)連續(xù)的數(shù)字簽名成功還原完整簽名私鑰; (2) 針對(duì)SM2 公鑰加密算法, 密鑰滲漏攻擊者可根據(jù)當(dāng)前的密文成功預(yù)測(cè)下一次加密的會(huì)話密鑰, 從而具備解密密文的能力. 因此, SM2 面臨的密鑰滲漏威脅比目前已知的通用攻擊更嚴(yán)重. 針對(duì)發(fā)現(xiàn)的高效攻擊, 本文探討了適用于SM2 的抗密鑰滲漏技術(shù), 保障SM2 數(shù)字簽名算法和SM2 公鑰加密算法的安全性.

論文《基于SM2 的多接收方公鑰加密方案》, 針對(duì)網(wǎng)絡(luò)與信息系統(tǒng)單發(fā)送者—多接收者的數(shù)據(jù)安全共享需求, 基于SM2 公鑰加密算法提出一種隨機(jī)數(shù)可重用的多接收方公鑰加密方案, 并在隨機(jī)預(yù)言機(jī)模型下證明方案滿足IND-CCA 安全性. 此方案能夠在多用戶開(kāi)放網(wǎng)絡(luò)環(huán)境保護(hù)數(shù)據(jù)隱私, 所使用的隨機(jī)數(shù)重用技術(shù)能夠有效減少發(fā)送方計(jì)算量, 極大地提高加密算法效率.

論文《基于SM2 數(shù)字簽名算法的環(huán)簽名方案》, 針對(duì)網(wǎng)絡(luò)與信息系統(tǒng)的匿名認(rèn)證和國(guó)產(chǎn)自主化需求,基于SM2 數(shù)字簽名算法提出環(huán)簽名方案、可鏈接環(huán)簽名方案以及兩種變型, 并證明環(huán)簽名方案滿足正確性、不可偽造性和無(wú)條件匿名性, 可鏈接環(huán)簽名方案滿足正確性、不可偽造性、無(wú)條件匿名性、可鏈接性和不可誹謗性, 最后通過(guò)性能評(píng)估說(shuō)明幾種方案的通信量和計(jì)算量均與環(huán)成員數(shù)量呈線性關(guān)系.

論文《基于SM9 標(biāo)識(shí)密碼算法的環(huán)簽名方案》, 針對(duì)標(biāo)識(shí)體系環(huán)簽名具有匿名保護(hù)和避免繁瑣公鑰證書(shū)管理的特點(diǎn), 基于SM9 標(biāo)識(shí)數(shù)字簽名算法構(gòu)造一種基于標(biāo)識(shí)的環(huán)簽名方案, 此方案與SM9 的用戶簽名密鑰生成方式具有一致性, 并在隨機(jī)諭言機(jī)模型下證明此方案具有不可偽造性和匿名性, 最后通過(guò)效率分析說(shuō)明了方案的簽名計(jì)算開(kāi)銷(xiāo)和通信代價(jià)比現(xiàn)有方案少, 具有更強(qiáng)的實(shí)用性.

希望本專欄能夠讓更多國(guó)內(nèi)學(xué)者關(guān)注國(guó)產(chǎn)商用密碼的分析與設(shè)計(jì).

Cryptography is an important strategic resource of a country, which is directly related to national security including political, economic, national defense, and information security. The Cryptography Law of the People’s Republic of China has been inplemented since January 1, 2020. Accordingly, cryptography is classified into core,common,and SM cryptographies. The core and common cryptographies are used to protect national classified information (i.e. state secrets), and the SM cryptography is to protect other information but not state secrets. Citizens, legal persons, and other organizations may use the SM cryptography to protect network and information security lawfully. Organized by the State Cryptography Administration, Chinese independent SM crypto algorithms (e.g. elliptic curve public key cryptography SM2, cryptography hash algorithm SM3, block cipher algorithm SM4, stream cipher algorithm ZUC, and identity-based cryptography algorithm SM9) have become the national standard,effectively guaranteeing the national network and information security.

While SM crypto algorithms have achieved a leapfrogging development from scratch, their original intention is to meet the basic security requirements of network and information systems (NIS).With the continuous advancement of the informatization process, more and more sensitive services are provided online. This has derived various security requirements such as leakage immunity, anonymous authentication, double-blind authentication, sharing among multiple users, and non-slanderability. It is urgent to carry out the research on functional cryptographies from existing SM crypto algorithms,such that providing continuous and effective security services for NIS.

This special column titled “SM Public-Key Cryptography”, organized by Journal of Cryptologic Research, mainly focuses on public-key cryptography algorithms such as SM2 and SM9 in Chinese SM cryptography, aiming at collecting state-of-the-art research progress of Chinese scholars in this field, according to the new security requirements of networks and information systems, and combined with its development status. This special column includes four papers, they are briefly summarized as follows.

The paper titled “Key Exfiltration on SM2 Cryptographic Algorithms” discusses the vulnerability of SM crypto algorithms to various cryptoanalyses and attacks with different motivations. This paper primarily investigates the security of the SM2 cryptographic algorithms against key exfiltration attacks and proposes two effective while undetectable attacks on the signature and public-key encryption scheme of the SM2. The first attack is on the SM2 signature scheme, which enables the attacker to recover the secret key from two successive signatures. The second attack is on the SM2 public-key encryption scheme,which enables the attacker to successfully predicate the current session key from the previous ciphertext hence to recover the plaintext. The attacks show that the impact of key exfiltration attacks on the SM2 cryptographic algorithms could be much more effective than other known attacks.Further discussion on effective approaches to enhance the security of SM2 encryption and signature schemes against the proposed key exfiltration attacks is presented.

The paper titled “SM2-Based Multi-Recipient Public-Key Encryption” focuses on the secure data sharing requirement among one sender and multiple receivers in NIS.This paper proposes a randomness re-using multi-recipient public-key encryption(RR-MRPKE)scheme based on SM2 encryption scheme,and proves that it is IND-CCA secure (in the sense of MRPKE) in the random oracle model. The proposed scheme provides data privacy in open networks,and the employing technology of randomness re-using can effectively reduce the amount of computation and improve the encryption efficiency.

The paper titled “Ring Signature Schemes Based on SM2 Digital Signature Algorithm” considers the requirements of anonymity authentication and Chinese independence in NIS. This paper proposes a ring signature scheme and a linkable ring signature scheme based on SM2 digital signature algorithm,as well as two variations of SM2 linkable ring signature scheme. It is shown that, SM2 ring signature scheme satisfies correctness, unforgeability, and unconditional anonymity. SM2 linkable ring signature scheme is with correctness,unforgeability,unconditional anonymity,linkability,and non-slanderability.The final efficiency analysis demonstrates that the communication costs and computation costs of these designed schemes are respectively linear with the number of ring members.

The paper titled “An Identity-Based Ring Signature Scheme for SM9 Algorithm” finds that the identity-based cryptographic system owns anonymity protection and avoids the complex public key certificate management. This paper constructs an identity-based ring signature scheme based on SM9 signature scheme, which has the consistence of the user private key generation algorithm to the SM9 signature scheme. Moreover, this paper proves that the proposed ring signature scheme satisfies the unforgeability and anonymity under the random oracle model. The final efficiency analysis shows that the proposed scheme is with less computation costs and communication overheads than existing schemes, and hence owns the stronger utility.

Hope this special issue may attract more researchers to focus on the cryptoanalysis and design of SM crypto algorithms.