我国自主研发的基于标识的SM9加密算法已成功入选ISO/IEC国际标准,但敌手可以颠覆密码算法的组件,从而破坏算法的安全性,而SM9 加密算法在设计之初并未考虑到此类攻击的存在.针对该问题,文章首先提出了基于标识加密(Identity Based Encryption,IBE)的颠覆攻击模型,并定义了明文可恢复性和不可检测性两个性质;然后提出了针对SM9加密算法的颠覆攻击,并发现敌手通过连续两个密文就能恢复明文;最后提出了抗颠覆的SM9 加密算法(Subversion Resilient-SM9,SR-SM9),并证明其不仅满足适应性选择身份和密文攻击下的密文不可区分性,还能够抵抗颠覆攻击.文章基于gmalg库和Python语言测试了SR-SM9,测试结果显示,SR-SM9 相比于SM9 加密算法只增加0.6%的计算成本且未增加通信成本.
Subversion Attacks and Countermeasures of SM9 Encryption
China's independently developed identity-based encryption algorithm SM9 has been successfully selected as an ISO/IEC international standard.However,adversary can tamper components of cryptographic algorithms to undermine their security.During the initial design of SM9 encryption algorithm,such subversion attacks were not considered.Whether SM9 encryption algorithm is vulnerable to subversion attacks and how to resist subversion attacks is still an unknown issue.To answer the above question,this paper introduced a subversion attack model for identity-based encryption(IBE)and defined two properties:plaintext recoverability and undetectability.In addition,this paper implemented a subversion attack on SM9 encryption algorithm and found that an adversary could recover a plaintext with only two successive ciphertexts.Moreover,this paper proposed a subversion-resilient SM9 encryption(SR-SM9),and proved SR-SM9 was not only secure under the adaptive chosen identity and ciphertext attack(ID-IND-CCA2)but also was subversion-resilient.Finally,this paper implemented SR-SM9 based on gmalg library and Python language.Compared with SM9,SR-SM9 only adds 0.6%computation cost with no additional communication cost.
NETL
NSTL
万方数据
