翁 健, 黃欣沂, 何德彪

1. 暨南大學, 廣州510632

2. 福建師范大學 計算機與網絡空間安全學院, 福州350117

3. 武漢大學 國家網絡安全學院, 武漢430072

密碼是國家的重要戰(zhàn)略資源, 直接關系國家政治安全、經濟安全、國防安全和信息安全. 根據2020 年1 月1 日正式施行的《中華人民共和國密碼法》, 密碼分為核心密碼、普通密碼和商用密碼. 核心密碼、普通密碼用于保護國家秘密信息, 屬于國家秘密; 商用密碼用于保護不屬于國家秘密的信息, 公民、法人和其他組織可以依法使用商用密碼保護網絡與信息安全. 由國家密碼管理局組織, 我國自主設計的基于橢圓曲線公鑰密碼算法SM2、密碼雜湊算法SM3、分組密碼算法SM4、序列密碼算法祖沖之(ZUC)、標識密碼算法SM9 等商用密碼已成為國家標準, 有效保障了國家網絡與信息安全.

雖然國產商用密碼實現了“從無到有” 的跨越式發(fā)展, 但其設計初衷是滿足網絡與信息系統(tǒng)的共性基礎安全需求. 隨著信息化進程不斷推進, 越來越多的敏感服務開始陸續(xù)上線, 衍生出滲漏免疫、匿名認證、雙盲認證、多人共享、不可誹謗等新型安全需求, 亟需依托已有的國產商用密碼, 開展功能型密碼的研究,為網絡與信息系統(tǒng)繼續(xù)提供有效的安全服務.

本期《密碼學報》組織“國產商用公鑰密碼” 專欄, 主要針對國產商用密碼中的SM2、SM9 等公鑰密碼算法, 根據網絡與信息系統(tǒng)的新型安全需求, 結合其發(fā)展現狀, 小規(guī)模地展示我國學者近期在該領域的研究進展. 本專欄共收錄4 篇論文, 分別簡介如下:

論文《SM2 密碼算法密鑰滲漏分析》, 針對國產商用密碼算法使用過程中易遭受一系列不同動機的分析和攻擊問題, 選取SM2 數字簽名算法和公鑰加密算法作為分析對象, 提出兩種高效難檢測的密鑰滲漏攻擊: (1) 針對SM2 數字簽名算法, 密鑰滲漏攻擊者能夠根據兩個連續(xù)的數字簽名成功還原完整簽名私鑰; (2) 針對SM2 公鑰加密算法, 密鑰滲漏攻擊者可根據當前的密文成功預測下一次加密的會話密鑰, 從而具備解密密文的能力. 因此, SM2 面臨的密鑰滲漏威脅比目前已知的通用攻擊更嚴重. 針對發(fā)現的高效攻擊, 本文探討了適用于SM2 的抗密鑰滲漏技術, 保障SM2 數字簽名算法和SM2 公鑰加密算法的安全性.

論文《基于SM2 的多接收方公鑰加密方案》, 針對網絡與信息系統(tǒng)單發(fā)送者—多接收者的數據安全共享需求, 基于SM2 公鑰加密算法提出一種隨機數可重用的多接收方公鑰加密方案, 并在隨機預言機模型下證明方案滿足IND-CCA 安全性. 此方案能夠在多用戶開放網絡環(huán)境保護數據隱私, 所使用的隨機數重用技術能夠有效減少發(fā)送方計算量, 極大地提高加密算法效率.

論文《基于SM2 數字簽名算法的環(huán)簽名方案》, 針對網絡與信息系統(tǒng)的匿名認證和國產自主化需求,基于SM2 數字簽名算法提出環(huán)簽名方案、可鏈接環(huán)簽名方案以及兩種變型, 并證明環(huán)簽名方案滿足正確性、不可偽造性和無條件匿名性, 可鏈接環(huán)簽名方案滿足正確性、不可偽造性、無條件匿名性、可鏈接性和不可誹謗性, 最后通過性能評估說明幾種方案的通信量和計算量均與環(huán)成員數量呈線性關系.

論文《基于SM9 標識密碼算法的環(huán)簽名方案》, 針對標識體系環(huán)簽名具有匿名保護和避免繁瑣公鑰證書管理的特點, 基于SM9 標識數字簽名算法構造一種基于標識的環(huán)簽名方案, 此方案與SM9 的用戶簽名密鑰生成方式具有一致性, 并在隨機諭言機模型下證明此方案具有不可偽造性和匿名性, 最后通過效率分析說明了方案的簽名計算開銷和通信代價比現有方案少, 具有更強的實用性.

希望本專欄能夠讓更多國內學者關注國產商用密碼的分析與設計.

Cryptography is an important strategic resource of a country, which is directly related to national security including political, economic, national defense, and information security. The Cryptography Law of the People’s Republic of China has been inplemented since January 1, 2020. Accordingly, cryptography is classified into core,common,and SM cryptographies. The core and common cryptographies are used to protect national classified information (i.e. state secrets), and the SM cryptography is to protect other information but not state secrets. Citizens, legal persons, and other organizations may use the SM cryptography to protect network and information security lawfully. Organized by the State Cryptography Administration, Chinese independent SM crypto algorithms (e.g. elliptic curve public key cryptography SM2, cryptography hash algorithm SM3, block cipher algorithm SM4, stream cipher algorithm ZUC, and identity-based cryptography algorithm SM9) have become the national standard,effectively guaranteeing the national network and information security.

While SM crypto algorithms have achieved a leapfrogging development from scratch, their original intention is to meet the basic security requirements of network and information systems (NIS).With the continuous advancement of the informatization process, more and more sensitive services are provided online. This has derived various security requirements such as leakage immunity, anonymous authentication, double-blind authentication, sharing among multiple users, and non-slanderability. It is urgent to carry out the research on functional cryptographies from existing SM crypto algorithms,such that providing continuous and effective security services for NIS.

This special column titled “SM Public-Key Cryptography”, organized by Journal of Cryptologic Research, mainly focuses on public-key cryptography algorithms such as SM2 and SM9 in Chinese SM cryptography, aiming at collecting state-of-the-art research progress of Chinese scholars in this field, according to the new security requirements of networks and information systems, and combined with its development status. This special column includes four papers, they are briefly summarized as follows.

The paper titled “Key Exfiltration on SM2 Cryptographic Algorithms” discusses the vulnerability of SM crypto algorithms to various cryptoanalyses and attacks with different motivations. This paper primarily investigates the security of the SM2 cryptographic algorithms against key exfiltration attacks and proposes two effective while undetectable attacks on the signature and public-key encryption scheme of the SM2. The first attack is on the SM2 signature scheme, which enables the attacker to recover the secret key from two successive signatures. The second attack is on the SM2 public-key encryption scheme,which enables the attacker to successfully predicate the current session key from the previous ciphertext hence to recover the plaintext. The attacks show that the impact of key exfiltration attacks on the SM2 cryptographic algorithms could be much more effective than other known attacks.Further discussion on effective approaches to enhance the security of SM2 encryption and signature schemes against the proposed key exfiltration attacks is presented.

The paper titled “SM2-Based Multi-Recipient Public-Key Encryption” focuses on the secure data sharing requirement among one sender and multiple receivers in NIS.This paper proposes a randomness re-using multi-recipient public-key encryption(RR-MRPKE)scheme based on SM2 encryption scheme,and proves that it is IND-CCA secure (in the sense of MRPKE) in the random oracle model. The proposed scheme provides data privacy in open networks,and the employing technology of randomness re-using can effectively reduce the amount of computation and improve the encryption efficiency.

The paper titled “Ring Signature Schemes Based on SM2 Digital Signature Algorithm” considers the requirements of anonymity authentication and Chinese independence in NIS. This paper proposes a ring signature scheme and a linkable ring signature scheme based on SM2 digital signature algorithm,as well as two variations of SM2 linkable ring signature scheme. It is shown that, SM2 ring signature scheme satisfies correctness, unforgeability, and unconditional anonymity. SM2 linkable ring signature scheme is with correctness,unforgeability,unconditional anonymity,linkability,and non-slanderability.The final efficiency analysis demonstrates that the communication costs and computation costs of these designed schemes are respectively linear with the number of ring members.

The paper titled “An Identity-Based Ring Signature Scheme for SM9 Algorithm” finds that the identity-based cryptographic system owns anonymity protection and avoids the complex public key certificate management. This paper constructs an identity-based ring signature scheme based on SM9 signature scheme, which has the consistence of the user private key generation algorithm to the SM9 signature scheme. Moreover, this paper proves that the proposed ring signature scheme satisfies the unforgeability and anonymity under the random oracle model. The final efficiency analysis shows that the proposed scheme is with less computation costs and communication overheads than existing schemes, and hence owns the stronger utility.

Hope this special issue may attract more researchers to focus on the cryptoanalysis and design of SM crypto algorithms.