BC加密模式的分析及其改进

郑凯燕; 王鹏

引用本文：

郑凯燕,王鹏.BC加密模式的分析及其改进[J].信息安全学报,2017,2(3):61-78 [点击复制]
ZHENG Kaiyan,WANG Peng.The concrete security of BC mode and its improvement[J].Journal of Cyber Security,2017,2(3):61-78 [点击复制]

本文已被：浏览 6162次下载 5517次	码上扫一扫！
BC加密模式的分析及其改进
郑凯燕^1,2,3, 王鹏^1,2,3
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所信息安全国家重点实验室, 北京 100093;2.中国科学院数据与通信保护研究教育中心, 北京 100093;3.中国科学院大学网络空间安全学院, 北京 100049)

摘要:

本文首次对国家标准GB/T 17964-2008中的BC加密模式进行了分析。在密文和随机串的不可区分（ROI-IND）的定义下，研究表明在常规的选择明文攻击下BC模式的机密性完全依赖于IV值的随机性；而在逐分组攻击（blockwise attack）下BC模式是不安全。因此，从具体应用角度来看，BC模式的实用性受限，例如其IV值不能作为Nonce使用，不能应用于在线消息处理场景，等等。针对这些问题，本文对BC加密模式进行了改进，提出了一种实用性更强的加密模式——基于Nonce的XBC模式，并证明了其在并发的逐分组适应的选择明文攻击下的机密性。

关键词: BC加密模式逐分组攻击加密模式/工作模式不可区分性 Nonce 选择明文攻击

DOI：10.19363/j.cnki.cn10-1380/tn.2017.07.004

投稿时间：2016-04-28修订日期：2017-03-24

基金项目:本课题得到国家自然科学基金（Nos.61272477，61472415）、国家重点基础研究发展（973）计划（No.2014CB340603）和中国科学院战略性先导科技专项（No.XDA06010702）资助。

The concrete security of BC mode and its improvement

ZHENG Kaiyan^1,2,3, WANG Peng^1,2,3

(1.State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing 100093, China;3.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)

Abstract:

In this paper, we analyze the confidential security of the Block Chaining operation mode (BC mode) proposed in Chinese national standard GB/T 17964-2008. We define the real-or-ideal indistinguishability in the sense of distinguishing the ciphertext with random bits. Using this ROI-IND concept, we prove that: 1) the CPA-security of BC mode totally depends on the randomness of IV, suffering easily misuse in practical implementations; 2) BC mode can't resist the blockwise adptive attack, and fails to provide confidentiality in real on-line applications. To fix the defects of BC mode, we propose an improved encryption mode-nonce-respected XBC mode, which is proved to be confidential against the concurrent blockwise adaptive chosen plaintext attack. Compared to the original BC mode, this nonce-respected XBC mode is easier to correct use, even in on-line applications.

Key words: block chaining operation mode concurrent blockwise (adaptive) attack encryption mode indistinguishability nonce chosen plaintext attack