标准模型下抗CPA与抗CCA2的RSA型加密方案

doi:10.3969/j.issn.0372-2112.2018.08.019

电子学报 ›› 2018, Vol. 46 ›› Issue (8): 1938-1946.DOI: 10.3969/j.issn.0372-2112.2018.08.019

标准模型下抗CPA与抗CCA2的RSA型加密方案

巩林明^1,2, 李顺东², 窦家维³, 王道顺⁴

1. 西安工程大学计算机科学学院, 陕西西安 710048;
2. 陕西师范大学计算机科学学院, 陕西西安 710062;
3. 陕西师范大学数学与信息科学学院, 陕西西安 710062;
4. 清华大学计算机科学与技术系, 北京 100084

收稿日期:2016-02-25 修回日期:2017-11-20 出版日期:2018-08-25 发布日期:2018-08-25
通讯作者: 窦家维
作者简介:巩林明 男,1979年4月生,山东青岛人.2016年获陕西师范大学计算机软件与理论专业工学博士学位.西安工程大学计算机科学学院教师.主要从事密码学与信息安全研究.E-mail:glmxinjing@163.com;李顺东 男,1963年12月生,河南平顶山人.2003年在西安交通大学获计算机科学与技术工学博士学位.陕西师范大学计算机科学学院教授、博士生导师.主要从事密码学与信息安全研究.E-mail:shundong@snnu.edu.cn;王道顺 男,1963年出生,四川人,博士.清华大学计算机科学与技术系副教授、博士生导师.主要从事密码学与信息安全研究.E-mail:daoshun@tsinghua.edu.cn
基金资助:
国家自然科学基金（No.61272435，61373020）；西安工程大学博士科研启动基金（No.107020331）

RSA-type Encryption Schemes Against CPA and CCA2 in Standard Model

GONG Lin-ming^1,2, LI Shun-dong², DOU Jia-wei³, WANG Dao-shun⁴

1. School of Computer Science, Xi'an Polytechnic University, Xi'an, Shaanxi 710048, China;
2. School of Computer Science, Shaanxi Normal University, Xi'an, Shaanxi 710062;
3. School of Mathematics and Information Science, Shaanxi Normal University, Xi'an, Shaanxi 710062, China;
4. Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China

Received:2016-02-25 Revised:2017-11-20 Online:2018-08-25 Published:2018-08-25

摘要/Abstract

摘要： RSA型加密系统（RSA加密系统及其改进系统的统称）至今仍然被广泛应用于许多注重电子数据安全的电子商务系统中.然而对现有的RSA型加密方案分析发现：（1）只有在随机谕言机模型下抗CCA2攻击的RSA型加密方案，还没有在标准模型下实现IND-CCA2安全的RSA型概率加密方案；（2）没有在标准模型下实现抗CPA且保持乘法同态性的RSA型同态加密方案，而同态性是实现安全多方计算和云计算安全服务的重要性质之一；（3）在实现密文不可区分方面，这些方案除HD-RSA外都是通过一个带hash的Feistel网络引入随机因子的，从而导致这些方案只能在随机谕言机模型下实现IND-CCA2安全.针对以上问题，本文在RSA加密系统的基础上，通过增加少量的有限域上的模指数运算，设计了一个标准模型下具有IND-CPA安全的RSA型概率同态加密方案和一个具有IND-CCA2安全的RSA型概率加密方案.这两个方案在实现密文不可区分时，都不再通过明文填充引入随机因子.此外，本文还提出一个RSA问题的变形问题（称作RSA判定性问题）.

关键词: RSA密码系统, IND-CCA2安全, 标准模型, 同态性, 概率加密

Abstract: RSA and its modified schemes (which are called by a joint name,RSA-type encryption schemes) are still deployed in many commercial systems where data security is very important.Analyzing RSA-type encryption schemes,we find that:(1) to the best of our knowledge,all these schemes are merely secure against adaptive chosen-ciphertext attack(CCA2) in the random oracle(RO) model,and there is no RSA-type schemes yet that is indistinguishable under adaptive chosen-ciphertext attack in the standard model;(2) there is no RSA-type scheme that is secure against chosen plaintext attack(CPA) but keeping multiplicative homomorphism,whereas encryption schemes with homomorphism are important for secure multi-party computations and secure cloud services;(3) except for the Hybrid Dependent RSA(HD-RSA),all the schemes introduce randomness into ciphertext by a Feistel network with hash functions;hence,this brings all the schemes to achieve IND-CCA2 security merely in RO model.In this paper,we propose two RSA-type encryption schemes that only need a few more modular arithmetic operations.One is indistinguishable against chosen plaintext attack with homomorphism,while another is indistinguishable against adaptive chosen ciphertext attack in standard model.Both schemes are probabilistic without plaintext padding.Furthermore,we propose a new variant RSA problem,which is called RSA decisional problem(denote by DRSA).

Key words: RSA cryptosystem, IND-CCA2 security, standard model, homomorphism, probabilistic encryption

中图分类号:

TP309

巩林明, 李顺东, 窦家维, 王道顺. 标准模型下抗CPA与抗CCA2的RSA型加密方案[J]. 电子学报, 2018, 46(8): 1938-1946.

GONG Lin-ming, LI Shun-dong, DOU Jia-wei, WANG Dao-shun. RSA-type Encryption Schemes Against CPA and CCA2 in Standard Model[J]. Acta Electronica Sinica, 2018, 46(8): 1938-1946.

参考文献

[1] 杨波.密码学中的可证明安全[M].北京:清华大学出版社,2017.
[2] Goldwasser S,et al.Probabilistic encryption[J].Journal of Computer and System Sciences,1984,28(2):270-299.
[3] Naor M,et al.Public-key cryptosystems provably secure against chosen ciphertext attacks[A].C Koutsougeras.Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing[C].New York:ACM,1990.427-437.
[4] Gentry C,et al.Using fully homomorphic hybrid encryption to minimize non-interative zero-knowledge proofs[J].Journal of Cryptology,2015,28(4):820-843.
[5] Koblitz N,et al.The random oracle model:a twenty-year retrospective[J].Designs,Codes and Cryptography,2015,77(2-3):587-610.
[6] Gu K,et al.Secure and efficient multi-proxy signature scheme in the standard model[J].Chinese Journal of Electronics,2016,25(1):93-99.
[7] 陈明.标准模型下可托管的基于身份认证密钥协商[J].电子学报,2015,43(10):1954-1962. Chen ming.Escrowable identity-based authenticated key agreement in the standard model[J].ACTA Electronia Sinica,2015,43(10):1954-1962.(in Chinese)
[8] Rivest R L,et al.A method for obtaining digital signatures and public-key cryptosystems[J].Communications of the ACM,1983,26(1):96-99.
[9] Jonsson J,et al.PKCS# 1:RSA Cryptography Specifications Version 2.2[R].https://www.rfc-editor.org/rfc/pdfrfc/rfc8017.txt.pdf,2016-11-6/2017-11-26.
[10] Pointcheval D.HD-RSA:Hybrid dependent RSA-a new public-key encryption scheme[J].Submission to IEEE P1363a,1999.
[11] Shoup V.OAEP reconsidered[J].Journal of Cryptology,2002,15(4):223-249.
[12] Boneh D.Simplified OAEP for the RSA and Rabin functions[A].Advances in Cryptology-CRYPTO 2001[C].Berlin Heidelberg:Springer,2001.275-291.
[13] Phan D H,Pointcheval D.OAEP 3-round:A generic and secure asymmetric encryption padding[A].Pil Joong Lee.Advances in Cryptology-ASIACRYPT 2004[C].Berlin Heidelberg:Springer,2004.63-77.
[14] Cui Y,et al.On achieving chosen ciphertext security with decryption errors[A].Hideki Imai.Proceedings of the Applied Algebra,Algebraic Algorithms and Error-Correcting Codes-16th International Symposium[C].Las Vegas:Springer,2006.173-182.
[15] 胡予濮,牟宁波,等.一种改进的三轮OAEP明文填充方案[J].计算机学报,2009,32(4):611-617. Hu Yu-Pu,Mu Ning-Bo,et al.An improved OAEP3-round padding scheme[J].Chinese Journal of Computers,2009,32(4):611-617.(in Chinese)
[16] 刘英莎,余文秋,等.一种增强的OAEP方案EAEP3+[J].计算机学报,2014,37(5):1052-1057. Liu Ying-Sha,Yu Wen-Qiu,et al.An enhanced OAEP scheme EAEP3+[J].Chinese Journal of Computers,2014,37(5):1052-1057.(in Chinese)
[17] Kiltz E,et al.Instantiability of RSA-OAEP under chosen-plaintext attack[J].Journal of Cryptology,2017,30(3):889-919.
[18] Kiltz E,Pietrzak K.On the security of padding-based encryption schemes-or-why we cannot prove OAEP secure in the standard model[A].Antoine Joux.Advances in Cryptology-EUROCRYPT 2009[C].Berlin Heidelberg:Springer,2009.389-406.
[19] Cramer R,Shoup V.A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack[A].Hugo Krawczyk.Advances in Cryptology-CRYPTO'98[C].Berlin Heidelberg:Springer,1998.13-25.
[20] Bellare M,et al.Hash-function based PRFs:AMAC and its multi-user security[A].Marc Fischlin.Annual International Conference on the Theory and Applications of Cryptographic Techniques[C].Berlin,Heidelberg:Springer,2016.566-595.
[21] Katz J,Lindell Y.Introduction to Modern Cryptography[M].Boca Raton:CRC Press,2014.

标准模型下抗CPA与抗CCA2的RSA型加密方案

RSA-type Encryption Schemes Against CPA and CCA2 in Standard Model

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 12

编辑推荐

Metrics

[1]	戚珉, 陈明. 标准模型下基于身份的混淆乐观公平交换方案[J]. 电子学报, 2020, 48(8): 1516-1527.
[2]	杨启良, 周彦伟, 杨坤伟, 王涛. 标准模型下可公开验证的匿名IBE方案的安全性分析[J]. 电子学报, 2020, 48(2): 291-295.
[3]	丁勇, 王冰尧, 袁方, 王玉珏, 张昆, 田磊. 支持第三方仲裁的智能电网数据安全聚合方案[J]. 电子学报, 2020, 48(2): 350-358.
[4]	赵艳琦, 来齐齐, 禹勇, 杨波, 赵一. 标准模型下基于身份的环签名方案[J]. 电子学报, 2018, 46(4): 1019-1024.
[5]	莫若, 马建峰, 刘西蒙, 张涛. 一种支持树形访问结构的属性基可净化签名方案[J]. 电子学报, 2017, 45(11): 2715-2720.
[6]	陈明. 标准模型下可托管的基于身份认证密钥协商[J]. 电子学报, 2015, 43(10): 1954-1962.
[7]	李琦, 马建峰, 熊金波, 刘西蒙, 马骏. 一种素数阶群上构造的自适应安全的多授权机构CP-ABE方案[J]. 电子学报, 2014, 42(4): 696-702.
[8]	马春光, 石岚, 周长利, 汪定. 属性基门限签名方案及其安全性研究[J]. 电子学报, 2013, 41(5): 1012-1015.
[9]	明洋, 王育民. 标准模型下可证安全的通配符基于身份加密方案[J]. 电子学报, 2013, 41(10): 2082-2086.
[10]	葛爱军, 马传贵, 程庆丰. 标准模型下CCA2安全且固定密文长度的模糊基于身份加密方案[J]. 电子学报, 2013, 41(10): 1948-1952.
[11]	李继国, 杨海珊, 张亦辰. 标准模型下安全的基于证书密钥封装方案[J]. 电子学报, 2012, 40(8): 1577-1583.
[12]	李继国;孙刚;张亦辰. 标准模型下可证安全的本地验证者撤销群签名方案[J]. 电子学报, 2011, 39(7): 1618-1623.