刘建伟, 林璟锵, 黄欣沂, 汪 定

1. 北京航空航天大学 网络空间安全学院, 北京100083

2. 中国科学院 数据与通信保护研究教育中心, 北京100093

3. 福建师范大学 数学与信息学院, 福州350117

4. 南开大学 网络空间安全学院, 天津300350

密码学是网络空间安全的基础理论, 能够为各种信息系统提供数据机密性、数据完整性、身份鉴别、非否认等安全服务. 然而, 在实际的密码学应用中, 却面临密钥泄露、密钥易被猜测、随机数可预测、虚假数字证书、弱算法使用、密码协议实现漏洞等诸多问题, 导致理论上安全(即在一定假设下可证明安全)的密码技术和方法并不能实现预期的安全效果. 特别地, 随着信息化进程的不断推进, 越来越多的敏感服务开始上线, 密码系统能否在现实环境中提供有效的安全服务是一个亟待关注的问题.

密码系统一般可分为算法和密钥. 因此, 密码应用安全关注的对象也可分为算法和密钥. 近年来, 国际上关于密码应用安全的研究主要集中在: 1) 密钥管理, 特别是互联网、物联网、车联网、区块链等应用环境下, 密钥在生成、分配、使用、存储、备份、恢复和销毁等全生命周期环节的管理策略和方法; 2) 密钥保护, 包括密码算法白盒实现、侧信道攻击和防御、抵抗各种软硬件攻击的密钥保护方案、物联网/工控网络等新型应用环境的密钥保护等; 3) 数字证书服务, 包括证书透明化、数字证书服务信任增强、基于区块链的数字证书服务、PGP 证书管理安全等; 4) 密码协议安全, 如TLS1.3 协议实现安全、单点登录服务安全、门限密码算法设计和应用等; 5) 密码算法高速实现, 如通用计算平台的高速实现、资源受限平台的密码算法实现、GPU/FPGA/ASIC 高速实现等; 6) 密码测评, 如随机数理论和应用、密码应用安全性测评等.

为推动我国密码应用安全技术的发展与研究, 我们在《密码学报》组织了一期“密码应用安全” 专刊,将我国学者近期在密码应用安全领域的研究进展进行小规模的集中展示. 该专刊共收录8 篇论文, 分别简介如下:

论文《密码应用安全技术研究及软件密码模块检测的讨论》是一篇综述性论文, 介绍了当前密码应用安全技术和密码模块检测的安全需求, 然后总结了密码理论方案的选用、随机数发生器的设计和实现、密钥安全、密码计算的使用控制、密钥管理和PKI 基础设施、应用功能密码协议的实现安全等现有密码应用技术的研究成果. 最后基于现有密码应用安全技术研究成果讨论了软件密码实现的特殊性和具体实施的注意事项.

论文《倍点运算的白盒化实现及应用》, 针对椭圆曲线倍点运算设计了一种新型的白盒实现方案. 该方案通过将倍数表示成特殊的形式、构造可以保护其中每个分量的查找表以及网络化查表消除单表的掩码等基本策略, 在实现最终结果正确计算的同时保护倍数信息不被泄露. 然后论文使用所设计的方法设计了标准I/O 接口的SM2/9 解密算法的白盒实现方案, 在此方案中可以有效地隐藏解密私钥. 最后论文将设计策略推广到模幂运算并构造了RSA 算法的白盒实现方案.

论文《大规模监视下安全性定义再分析》, 针对当前密码体制抗颠覆性标准要求过高不利于大部分现有防御方法实施的问题, 提出了一个能够更加直接反应现实需求的针对颠覆攻击的安全定义, 并形式化的证明了所有满足当前抗颠覆标准的密码体制均满足所提出的安全定义. 然后论文在新的抗颠覆性定义下提出了算法隔离运行的防御方法, 该方法基于“分割-融合” 模型且具有较高的可行性. 最后在部分颠覆模型和完全颠覆模型下设计了基于算法隔离运行的满足所提出的安全定义的对称加密体制构造方法.

论文《一种NoisyRounds 保护的白盒AES 实现及其差分故障分析》, 使用随机冗余轮函数和Chow-WBAES 白盒实现机制提出了一个白盒AES 安全加固方案NoisyRounds, 该方案通过改变Chow 等人的白盒AES 算法的第10 轮结构, 并在其后增加能够混淆差分故障分析攻击分析的轮组来抵抗差分故障分析攻击. 该方案能够以计算复杂度为O(n4) 增大差分故障分析对AES 白盒攻击的难度.

论文《SM4 算法的一种新型白盒实现》,采用混淆密钥于查找表技术相结合的方式,对SM4 算法进行一种内部状态扩充的白盒实现设计(WSISE 算法). 该算法可以抵抗代码提取攻击和BGE 攻击. 此外, 论文给出了算法所需的内存空间, 并通过实验给出了将所提出的实现在不同的现存分析方法下的主要开销.

论文《车联网中支持动态操作的密钥协商协议》, 针对传统密钥协商协议通信轮数偏高、密钥更新效率较低等问题, 设计了一种支持高效密钥更新和动态特性的VANETs 密钥协商协议, 提出了一种基于移位寄存器的SBIBD(对称平衡不完全区组设计) 构造方案. 此外, 利用不可区分混淆技术, 论文设计了高效的密钥更新操作, 实现了动态VANETs 的高效密钥更新.

论文《无证书签名方案的分析及改进》, 提出了线性化方程分析方法, 并使用该方法证明了一些文献中的无证书签名方案不能抵抗类型I 攻击者和类型II 攻击者的攻击, 然后总结了无证书签名方案中的攻击者成功伪造签名的本质原因. 此外, 论文提出了一个改进的无证书签名方案, 并在随机预言模型中基于椭圆曲线离散对数问题的假设下, 证明了其对攻击者的不可伪造性.

论文《基于区块链技术的密钥生命周期演示设计》, 设计了一种基于区块链技术的密钥生命周期演示设计方案. 探索了区块链技术在PKI 等领域中的应用, 针对现实应用场景, 对密钥生成、公钥查询、密钥更新、密钥注销和密钥归档五个核心功能进行了方案设计. 利用区块链的去中心化的特性, 构建去中心化的网络对并发的请求能够有更高的响应效率, 具有去中心化、集体维护、安全可信、可溯源和防篡改等突出优势, 有效解决了传统的密钥生命周期管理中的症结与痛点.

希望通过本专刊, 密码应用安全问题能够引起国内学者更多的关注.

Cryptography constitutes the basic theory of cyberspace security and provides security services such as data confidentiality, data integrity, identity authentication, and non-repudiation for various information systems. However, cryptography used in real-world applications are faced with many problems such as key leakage, key susceptibility to be guessed, random numbers predictability, fake digital certificates,weak algorithm use,and password protocol implementation vulnerabilities,resulting in theoretically secure(that is,under certain assumptions,it can be proved to be secure)cryptographic technologies and methods cannot achieve the expected security goals. In particular,with the continuous advancement of the informatization process,more and more sensitive services are made online. Whether the cryptosystem can provide effective security services in real environments is an urgent issue.

Generally, cryptosystems can be divided into two parts: the cryptographic algorithm and the key.Therefore, the focus of security applications of cryptography can also be divided into cryptographic algorithms and keys. In recent years, international research on security applications of cryptography has mainly focused on six topics: 1) Key management, including key management strategies and methods in the whole life-cycle of key generation, distribution, use, storage, backup, recovery and destruction, especially in the application environments such as the Internet, the Internet of Things, the Internet of Vehicles, and blockchain; 2) Key protection, including white-box implementation of cryptographic algorithms, side channel attacks and defenses, key protection schemes to resist various hardware and software attacks, Internet of Things/Key protection for industrial control network and other new application environments; 3) Digital certificate services, including certificate transparency, digital certificate service trust enhancement, blockchain-based digital certificate services, PGP certificate management security, etc.; 4) Cryptographic protocol security, such as TLS1.3 protocol implementation security, single sign-on service security, threshold cryptographic algorithm design and application,etc.; 5) High-speed implementation of cryptographic algorithms, such as high-speed implementation of general-purpose computing platforms,cryptographic algorithm implementation of resource-constrained platforms,GPU/FPGA/ASIC high-speed implementation,etc.; 6)Cryptology evaluation,such as random number theory and application, cryptographic application security evaluation, etc.

In order to promote the development and research on security applications of cryptographic technologies in China, it is our honor to organize this special issue titled “Security Applications of Cryptography”at the Journal of Cryptologic Research, aiming at collecting state-of-the-art research results in the field of security applications of cryptography from Chinese scholars. This special issue includes eight papers, they are briefly summarized as follows.

The paper titled “Research Progresses on Security Applications of Cryptography and Discussions on Validation of Software Cryptographic Modules” is a review paper, which compares the research progresses on the security applications of cryptography and the security requirements of cryptographic modules. This paper surveys the research progresses on the security applications of cryptography,including the adoption of theoretical cryptography-based solutions, the design and implementation of random number generators, the security of cryptographic keys, the usage control of cryptographic computations, key management and PKI, and the secure implementations of application-layer cryptographic protocols. Finally, based on the research progresses on the security applications of cryptography, some special issues about the security of software cryptographic implementations are discussed.

The paper titled “White-box Implementation of Multiple Point Operation and Its Applications”proposes a new white-box implementation of elliptic curve multiple point operation. The design strategy is that, expressing the multiple factor into a special form, with lookup tables to protect its components, and using network lookup tables to eliminate random masks. By these techniques, we successfully hide the multiple factors and correctly get algorithm outputs. apply this strategy on SM2/9 decryption algorithms. The resulting white-box implementation provides standard input/output algorithm interfaces. Furthermore,the design strategy is generalized to modular exponentiation operation,and obtain a white-box implementation of RSA algorithm.

The paper titled“Security Definition Against Mass Surveillance,Revisited”points out the problem that the anti-subversion standard of current cryptosystem is considerably strict,which is not conducive to the implementation of most existing defense methods, this paper proposes a security definition for subversion attack that can more directly reflect the actual needs and formally proves that all cryptosystems that meet the current anti-subversion standard meet the proposed security definition. Then,this paper proposes a defending strategy named isolated operation, which prohibits certain algorithms to access to business data of users, based on the“decomposition and amalgamation” model. Comparing to most of the existing defending strategies, the isolated operation is more practical. Symmetric encryption schemes satisfying security-preservation against subversion in partial subversion model and in complete subversion model are designed respectively.

The paper titled “A NoisyRounds-based White-box AES Implementation and Corresponding Differential Fault Analysis” based on DummyRounds and Chow et al.’s WBAES, the NoisyRounds-WBAES is introduced to resist DFA. In particular, NoisyRounds-WBAES obfuscates the 10-th round function in WBAES and applies some self-counteracting redundant computations. Without external encoding,the n-round NoisyRounds can obfuscate the DFA tool analysis with computational complexity being O(n4).

The paper titled “A New Method for White-box Implementation of SM4 Algorithm” presents a new white-box implementation of SM4 algorithm,which expands the internal state of the algorithm and obfuscate the key by adding random numbers in the process of running the cryptographic algorithm.This scheme can effectively resist code extraction attacks and BGE attack. In addition, the memory space required by the algorithm is given,and the main overhead of the proposed implementation under different existing analysis methods is given through experiments.

The paper titled “Key Agreement Protocol with Dynamic Property for VANETs” aims at the problems of high communication rounds and low efficiency of the key update in traditional key agreement protocols, and proposes a key agreement protocol with dynamic property for VANETs. The symmetric balanced incomplete block design (SBIBD) and the indistinguishable obfuscation technology are employed to support efficient key update and dynamic property of the proposed key agreement protocol. In addition, by using indistinguishable obfuscation technology, this paper designs an efficient key update operation to achieve the efficient key update of dynamic VANETs.

The paper titled “Analysis and Improvement of Certificateless Signature Schemes” proposes linearization equation analysis, and demonstrates that some existing CLS schemes cannot resist against both the Type-I and Type-II attacks through linearization equation analysis. This paper explains the essential reason for the adversaries to successfully forge a valid signature in CLS schemes. Furthermore, in order to break the simple linearization relation, this paper presents an improved CLS scheme and proves its unforgeability against adversaries based on the intractability of elliptic curve discrete logarithm problem under the random oracle model.

The paper titled “On the Design of Key Life Cycle Demonstration Based on Blockchain Technology” designs a blockchain-based key life cycle demonstration scheme. The application of blockchain technology in PKI and other fields has been explored. For practical application scenarios, five core functions of key generation, public key query, key update, key cancellation and key archiving have been designed. Using the decentralized nature of the blockchain, building a decentralized network can have a higher response efficiency to concurrent requests. It has outstanding advantages such as decentralization, collective maintenance, security and trust, traceability, and tamper resistance. This scheme effectively solves the problems in traditional key life cycle management.

Hope this special issue may attract more researchers to pay attention to the security applications of cryptography.