本文已被:浏览 7858次 下载 6759次 |
码上扫一扫! |
BC加密模式的分析及其改进 |
郑凯燕1,2,3, 王鹏1,2,3
|
|
(1.中国科学院信息工程研究所信息安全国家重点实验室, 北京 100093;2.中国科学院数据与通信保护研究教育中心, 北京 100093;3.中国科学院大学网络空间安全学院, 北京 100049) |
|
摘要: |
本文首次对国家标准GB/T 17964-2008中的BC加密模式进行了分析。在密文和随机串的不可区分(ROI-IND)的定义下,研究表明在常规的选择明文攻击下BC模式的机密性完全依赖于IV值的随机性;而在逐分组攻击(blockwise attack)下BC模式是不安全。因此,从具体应用角度来看,BC模式的实用性受限,例如其IV值不能作为Nonce使用,不能应用于在线消息处理场景,等等。针对这些问题,本文对BC加密模式进行了改进,提出了一种实用性更强的加密模式——基于Nonce的XBC模式,并证明了其在并发的逐分组适应的选择明文攻击下的机密性。 |
关键词: BC加密模式 逐分组攻击 加密模式/工作模式 不可区分性 Nonce 选择明文攻击 |
DOI:10.19363/j.cnki.cn10-1380/tn.2017.07.004 |
投稿时间:2016-04-28修订日期:2017-03-24 |
基金项目:本课题得到国家自然科学基金(Nos.61272477,61472415)、国家重点基础研究发展(973)计划(No.2014CB340603)和中国科学院战略性先导科技专项(No.XDA06010702)资助。 |
|
The concrete security of BC mode and its improvement |
ZHENG Kaiyan1,2,3, WANG Peng1,2,3
|
(1.State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing 100093, China;3.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China) |
Abstract: |
In this paper, we analyze the confidential security of the Block Chaining operation mode (BC mode) proposed in Chinese national standard GB/T 17964-2008. We define the real-or-ideal indistinguishability in the sense of distinguishing the ciphertext with random bits. Using this ROI-IND concept, we prove that: 1) the CPA-security of BC mode totally depends on the randomness of IV, suffering easily misuse in practical implementations; 2) BC mode can't resist the blockwise adptive attack, and fails to provide confidentiality in real on-line applications. To fix the defects of BC mode, we propose an improved encryption mode-nonce-respected XBC mode, which is proved to be confidential against the concurrent blockwise adaptive chosen plaintext attack. Compared to the original BC mode, this nonce-respected XBC mode is easier to correct use, even in on-line applications. |
Key words: block chaining operation mode concurrent blockwise (adaptive) attack encryption mode indistinguishability nonce chosen plaintext attack |