国家自然科学基金(62072054, U2001205, 61772326, 61802241, 61802242); 陕西省重点研发计划(2021GY-047, 2022GY-032)
斯诺登事件后, 以算法替换攻击为代表的后门攻击带来的威胁受到广泛关注. 该类攻击通过不可检测的篡改密码协议参与方的算法流程, 在算法中嵌入后门来获得秘密信息. 为协议参与方配置密码学逆向防火墙(cryptographic reverse firewall, CRF)是抵抗算法替换攻击的主要手段. 基于身份加密(identity based encryption, IBE)作为一种广泛应用的公钥加密体制, 亟需构建合适的CRF方案. 然而, 已有工作仅实现了CRF再随机化的功能, 忽视了将用户私钥直接发送给作为第三方的CRF的安全风险. 针对上述问题, 首先给出适用于IBE的CRF安全性质的形式化定义和安全模型. 其次提出可再随机化且密钥可延展的无安全信道IBE (rerandomizable and key-malleable secure channel free IBE, RKM-SFC-IBE)的形式化定义并给出传统IBE转化为RKM-SFC-IBE以及增加匿名性的方法. 最后基于RKM-SFC-IBE给出对应CRF的一般性构造方法, 并给出标准模型下IBE方案的CRF构造实例与性能优化方法. 与已有工作相比, 提出完备的适用于IBE的CRF安全模型, 给出一般构造方法, 明确为表达力更强的加密方案构造CRF时的基本原则.
Since the Snowden revelations, threats from backdoor attacks represented by algorithm substitution attack (ASA) have been widely concerned. This kind of attack subverts the process of the algorithm that tampers with the cryptographic protocol participants in an undetectable manner, which embeds backdoors to obtain secrets. Building a cryptographic reverse firewall (CRF) for protocol participants is a well-known and feasible approach against ASA. Identity-based encryption (IBE), as a quite applicable public key infrastructure, has vital importance to be protected by appropriate CRF schemes. However, the existing work only realizes the CRF re-randomization, ignoring the security risk of sending users’ private keys directly to the third-party CRF. Given the above problem, the formal definition and security model of security properties of CRF applicable to IBE are proposed. Then, the formal definition of rerandomizable and key-malleable secure channel free IBE (RKM-SCF-IBE) and the method of transforming traditional IBE to RKM-SFC-IBE are presented. In addition, an approach to increasing anonymity is also given. Finally, a generic provably secure framework of CRF construction for IBE is proposed based on RKM-SFC-IBE, with several instantiations from classic IBE schemes in the standard model and simulation results with optimization methods. Compared with existing work, the proposed scheme is proven secure under a more complete security model with a generic approach to building CRF for IBE schemes and clarifies the basic principles when constructing CRF for more expressive encryption schemes.