劉建偉, 林璟鏘, 黃欣沂, 汪 定

1. 北京航空航天大學(xué) 網(wǎng)絡(luò)空間安全學(xué)院, 北京100083

2. 中國科學(xué)院 數(shù)據(jù)與通信保護(hù)研究教育中心, 北京100093

3. 福建師范大學(xué) 數(shù)學(xué)與信息學(xué)院, 福州350117

4. 南開大學(xué) 網(wǎng)絡(luò)空間安全學(xué)院, 天津300350

密碼學(xué)是網(wǎng)絡(luò)空間安全的基礎(chǔ)理論, 能夠為各種信息系統(tǒng)提供數(shù)據(jù)機(jī)密性、數(shù)據(jù)完整性、身份鑒別、非否認(rèn)等安全服務(wù). 然而, 在實際的密碼學(xué)應(yīng)用中, 卻面臨密鑰泄露、密鑰易被猜測、隨機(jī)數(shù)可預(yù)測、虛假數(shù)字證書、弱算法使用、密碼協(xié)議實現(xiàn)漏洞等諸多問題, 導(dǎo)致理論上安全(即在一定假設(shè)下可證明安全)的密碼技術(shù)和方法并不能實現(xiàn)預(yù)期的安全效果. 特別地, 隨著信息化進(jìn)程的不斷推進(jìn), 越來越多的敏感服務(wù)開始上線, 密碼系統(tǒng)能否在現(xiàn)實環(huán)境中提供有效的安全服務(wù)是一個亟待關(guān)注的問題.

密碼系統(tǒng)一般可分為算法和密鑰. 因此, 密碼應(yīng)用安全關(guān)注的對象也可分為算法和密鑰. 近年來, 國際上關(guān)于密碼應(yīng)用安全的研究主要集中在: 1) 密鑰管理, 特別是互聯(lián)網(wǎng)、物聯(lián)網(wǎng)、車聯(lián)網(wǎng)、區(qū)塊鏈等應(yīng)用環(huán)境下, 密鑰在生成、分配、使用、存儲、備份、恢復(fù)和銷毀等全生命周期環(huán)節(jié)的管理策略和方法; 2) 密鑰保護(hù), 包括密碼算法白盒實現(xiàn)、側(cè)信道攻擊和防御、抵抗各種軟硬件攻擊的密鑰保護(hù)方案、物聯(lián)網(wǎng)/工控網(wǎng)絡(luò)等新型應(yīng)用環(huán)境的密鑰保護(hù)等; 3) 數(shù)字證書服務(wù), 包括證書透明化、數(shù)字證書服務(wù)信任增強(qiáng)、基于區(qū)塊鏈的數(shù)字證書服務(wù)、PGP 證書管理安全等; 4) 密碼協(xié)議安全, 如TLS1.3 協(xié)議實現(xiàn)安全、單點登錄服務(wù)安全、門限密碼算法設(shè)計和應(yīng)用等; 5) 密碼算法高速實現(xiàn), 如通用計算平臺的高速實現(xiàn)、資源受限平臺的密碼算法實現(xiàn)、GPU/FPGA/ASIC 高速實現(xiàn)等; 6) 密碼測評, 如隨機(jī)數(shù)理論和應(yīng)用、密碼應(yīng)用安全性測評等.

為推動我國密碼應(yīng)用安全技術(shù)的發(fā)展與研究, 我們在《密碼學(xué)報》組織了一期“密碼應(yīng)用安全” ?？?將我國學(xué)者近期在密碼應(yīng)用安全領(lǐng)域的研究進(jìn)展進(jìn)行小規(guī)模的集中展示. 該?？彩珍? 篇論文, 分別簡介如下:

論文《密碼應(yīng)用安全技術(shù)研究及軟件密碼模塊檢測的討論》是一篇綜述性論文, 介紹了當(dāng)前密碼應(yīng)用安全技術(shù)和密碼模塊檢測的安全需求, 然后總結(jié)了密碼理論方案的選用、隨機(jī)數(shù)發(fā)生器的設(shè)計和實現(xiàn)、密鑰安全、密碼計算的使用控制、密鑰管理和PKI 基礎(chǔ)設(shè)施、應(yīng)用功能密碼協(xié)議的實現(xiàn)安全等現(xiàn)有密碼應(yīng)用技術(shù)的研究成果. 最后基于現(xiàn)有密碼應(yīng)用安全技術(shù)研究成果討論了軟件密碼實現(xiàn)的特殊性和具體實施的注意事項.

論文《倍點運(yùn)算的白盒化實現(xiàn)及應(yīng)用》, 針對橢圓曲線倍點運(yùn)算設(shè)計了一種新型的白盒實現(xiàn)方案. 該方案通過將倍數(shù)表示成特殊的形式、構(gòu)造可以保護(hù)其中每個分量的查找表以及網(wǎng)絡(luò)化查表消除單表的掩碼等基本策略, 在實現(xiàn)最終結(jié)果正確計算的同時保護(hù)倍數(shù)信息不被泄露. 然后論文使用所設(shè)計的方法設(shè)計了標(biāo)準(zhǔn)I/O 接口的SM2/9 解密算法的白盒實現(xiàn)方案, 在此方案中可以有效地隱藏解密私鑰. 最后論文將設(shè)計策略推廣到模冪運(yùn)算并構(gòu)造了RSA 算法的白盒實現(xiàn)方案.

論文《大規(guī)模監(jiān)視下安全性定義再分析》, 針對當(dāng)前密碼體制抗顛覆性標(biāo)準(zhǔn)要求過高不利于大部分現(xiàn)有防御方法實施的問題, 提出了一個能夠更加直接反應(yīng)現(xiàn)實需求的針對顛覆攻擊的安全定義, 并形式化的證明了所有滿足當(dāng)前抗顛覆標(biāo)準(zhǔn)的密碼體制均滿足所提出的安全定義. 然后論文在新的抗顛覆性定義下提出了算法隔離運(yùn)行的防御方法, 該方法基于“分割-融合” 模型且具有較高的可行性. 最后在部分顛覆模型和完全顛覆模型下設(shè)計了基于算法隔離運(yùn)行的滿足所提出的安全定義的對稱加密體制構(gòu)造方法.

論文《一種NoisyRounds 保護(hù)的白盒AES 實現(xiàn)及其差分故障分析》, 使用隨機(jī)冗余輪函數(shù)和Chow-WBAES 白盒實現(xiàn)機(jī)制提出了一個白盒AES 安全加固方案NoisyRounds, 該方案通過改變Chow 等人的白盒AES 算法的第10 輪結(jié)構(gòu), 并在其后增加能夠混淆差分故障分析攻擊分析的輪組來抵抗差分故障分析攻擊. 該方案能夠以計算復(fù)雜度為O(n4) 增大差分故障分析對AES 白盒攻擊的難度.

論文《SM4 算法的一種新型白盒實現(xiàn)》,采用混淆密鑰于查找表技術(shù)相結(jié)合的方式,對SM4 算法進(jìn)行一種內(nèi)部狀態(tài)擴(kuò)充的白盒實現(xiàn)設(shè)計(WSISE 算法). 該算法可以抵抗代碼提取攻擊和BGE 攻擊. 此外, 論文給出了算法所需的內(nèi)存空間, 并通過實驗給出了將所提出的實現(xiàn)在不同的現(xiàn)存分析方法下的主要開銷.

論文《車聯(lián)網(wǎng)中支持動態(tài)操作的密鑰協(xié)商協(xié)議》, 針對傳統(tǒng)密鑰協(xié)商協(xié)議通信輪數(shù)偏高、密鑰更新效率較低等問題, 設(shè)計了一種支持高效密鑰更新和動態(tài)特性的VANETs 密鑰協(xié)商協(xié)議, 提出了一種基于移位寄存器的SBIBD(對稱平衡不完全區(qū)組設(shè)計) 構(gòu)造方案. 此外, 利用不可區(qū)分混淆技術(shù), 論文設(shè)計了高效的密鑰更新操作, 實現(xiàn)了動態(tài)VANETs 的高效密鑰更新.

論文《無證書簽名方案的分析及改進(jìn)》, 提出了線性化方程分析方法, 并使用該方法證明了一些文獻(xiàn)中的無證書簽名方案不能抵抗類型I 攻擊者和類型II 攻擊者的攻擊, 然后總結(jié)了無證書簽名方案中的攻擊者成功偽造簽名的本質(zhì)原因. 此外, 論文提出了一個改進(jìn)的無證書簽名方案, 并在隨機(jī)預(yù)言模型中基于橢圓曲線離散對數(shù)問題的假設(shè)下, 證明了其對攻擊者的不可偽造性.

論文《基于區(qū)塊鏈技術(shù)的密鑰生命周期演示設(shè)計》, 設(shè)計了一種基于區(qū)塊鏈技術(shù)的密鑰生命周期演示設(shè)計方案. 探索了區(qū)塊鏈技術(shù)在PKI 等領(lǐng)域中的應(yīng)用, 針對現(xiàn)實應(yīng)用場景, 對密鑰生成、公鑰查詢、密鑰更新、密鑰注銷和密鑰歸檔五個核心功能進(jìn)行了方案設(shè)計. 利用區(qū)塊鏈的去中心化的特性, 構(gòu)建去中心化的網(wǎng)絡(luò)對并發(fā)的請求能夠有更高的響應(yīng)效率, 具有去中心化、集體維護(hù)、安全可信、可溯源和防篡改等突出優(yōu)勢, 有效解決了傳統(tǒng)的密鑰生命周期管理中的癥結(jié)與痛點.

希望通過本?？? 密碼應(yīng)用安全問題能夠引起國內(nèi)學(xué)者更多的關(guān)注.

Cryptography constitutes the basic theory of cyberspace security and provides security services such as data confidentiality, data integrity, identity authentication, and non-repudiation for various information systems. However, cryptography used in real-world applications are faced with many problems such as key leakage, key susceptibility to be guessed, random numbers predictability, fake digital certificates,weak algorithm use,and password protocol implementation vulnerabilities,resulting in theoretically secure(that is,under certain assumptions,it can be proved to be secure)cryptographic technologies and methods cannot achieve the expected security goals. In particular,with the continuous advancement of the informatization process,more and more sensitive services are made online. Whether the cryptosystem can provide effective security services in real environments is an urgent issue.

Generally, cryptosystems can be divided into two parts: the cryptographic algorithm and the key.Therefore, the focus of security applications of cryptography can also be divided into cryptographic algorithms and keys. In recent years, international research on security applications of cryptography has mainly focused on six topics: 1) Key management, including key management strategies and methods in the whole life-cycle of key generation, distribution, use, storage, backup, recovery and destruction, especially in the application environments such as the Internet, the Internet of Things, the Internet of Vehicles, and blockchain; 2) Key protection, including white-box implementation of cryptographic algorithms, side channel attacks and defenses, key protection schemes to resist various hardware and software attacks, Internet of Things/Key protection for industrial control network and other new application environments; 3) Digital certificate services, including certificate transparency, digital certificate service trust enhancement, blockchain-based digital certificate services, PGP certificate management security, etc.; 4) Cryptographic protocol security, such as TLS1.3 protocol implementation security, single sign-on service security, threshold cryptographic algorithm design and application,etc.; 5) High-speed implementation of cryptographic algorithms, such as high-speed implementation of general-purpose computing platforms,cryptographic algorithm implementation of resource-constrained platforms,GPU/FPGA/ASIC high-speed implementation,etc.; 6)Cryptology evaluation,such as random number theory and application, cryptographic application security evaluation, etc.

In order to promote the development and research on security applications of cryptographic technologies in China, it is our honor to organize this special issue titled “Security Applications of Cryptography”at the Journal of Cryptologic Research, aiming at collecting state-of-the-art research results in the field of security applications of cryptography from Chinese scholars. This special issue includes eight papers, they are briefly summarized as follows.

The paper titled “Research Progresses on Security Applications of Cryptography and Discussions on Validation of Software Cryptographic Modules” is a review paper, which compares the research progresses on the security applications of cryptography and the security requirements of cryptographic modules. This paper surveys the research progresses on the security applications of cryptography,including the adoption of theoretical cryptography-based solutions, the design and implementation of random number generators, the security of cryptographic keys, the usage control of cryptographic computations, key management and PKI, and the secure implementations of application-layer cryptographic protocols. Finally, based on the research progresses on the security applications of cryptography, some special issues about the security of software cryptographic implementations are discussed.

The paper titled “White-box Implementation of Multiple Point Operation and Its Applications”proposes a new white-box implementation of elliptic curve multiple point operation. The design strategy is that, expressing the multiple factor into a special form, with lookup tables to protect its components, and using network lookup tables to eliminate random masks. By these techniques, we successfully hide the multiple factors and correctly get algorithm outputs. apply this strategy on SM2/9 decryption algorithms. The resulting white-box implementation provides standard input/output algorithm interfaces. Furthermore,the design strategy is generalized to modular exponentiation operation,and obtain a white-box implementation of RSA algorithm.

The paper titled“Security Definition Against Mass Surveillance,Revisited”points out the problem that the anti-subversion standard of current cryptosystem is considerably strict,which is not conducive to the implementation of most existing defense methods, this paper proposes a security definition for subversion attack that can more directly reflect the actual needs and formally proves that all cryptosystems that meet the current anti-subversion standard meet the proposed security definition. Then,this paper proposes a defending strategy named isolated operation, which prohibits certain algorithms to access to business data of users, based on the“decomposition and amalgamation” model. Comparing to most of the existing defending strategies, the isolated operation is more practical. Symmetric encryption schemes satisfying security-preservation against subversion in partial subversion model and in complete subversion model are designed respectively.

The paper titled “A NoisyRounds-based White-box AES Implementation and Corresponding Differential Fault Analysis” based on DummyRounds and Chow et al.’s WBAES, the NoisyRounds-WBAES is introduced to resist DFA. In particular, NoisyRounds-WBAES obfuscates the 10-th round function in WBAES and applies some self-counteracting redundant computations. Without external encoding,the n-round NoisyRounds can obfuscate the DFA tool analysis with computational complexity being O(n4).

The paper titled “A New Method for White-box Implementation of SM4 Algorithm” presents a new white-box implementation of SM4 algorithm,which expands the internal state of the algorithm and obfuscate the key by adding random numbers in the process of running the cryptographic algorithm.This scheme can effectively resist code extraction attacks and BGE attack. In addition, the memory space required by the algorithm is given,and the main overhead of the proposed implementation under different existing analysis methods is given through experiments.

The paper titled “Key Agreement Protocol with Dynamic Property for VANETs” aims at the problems of high communication rounds and low efficiency of the key update in traditional key agreement protocols, and proposes a key agreement protocol with dynamic property for VANETs. The symmetric balanced incomplete block design (SBIBD) and the indistinguishable obfuscation technology are employed to support efficient key update and dynamic property of the proposed key agreement protocol. In addition, by using indistinguishable obfuscation technology, this paper designs an efficient key update operation to achieve the efficient key update of dynamic VANETs.

The paper titled “Analysis and Improvement of Certificateless Signature Schemes” proposes linearization equation analysis, and demonstrates that some existing CLS schemes cannot resist against both the Type-I and Type-II attacks through linearization equation analysis. This paper explains the essential reason for the adversaries to successfully forge a valid signature in CLS schemes. Furthermore, in order to break the simple linearization relation, this paper presents an improved CLS scheme and proves its unforgeability against adversaries based on the intractability of elliptic curve discrete logarithm problem under the random oracle model.

The paper titled “On the Design of Key Life Cycle Demonstration Based on Blockchain Technology” designs a blockchain-based key life cycle demonstration scheme. The application of blockchain technology in PKI and other fields has been explored. For practical application scenarios, five core functions of key generation, public key query, key update, key cancellation and key archiving have been designed. Using the decentralized nature of the blockchain, building a decentralized network can have a higher response efficiency to concurrent requests. It has outstanding advantages such as decentralization, collective maintenance, security and trust, traceability, and tamper resistance. This scheme effectively solves the problems in traditional key life cycle management.

Hope this special issue may attract more researchers to pay attention to the security applications of cryptography.