基于双管道结构的在线加密方案

Double-Pipeline Online Encryption

在线加密以串行的方式逐块处理输入,为数据提供安全性保护.近年来,设计具有在线性的认证加密方案成为研究热点,大量基于分组密码或固定置换设计的在线认证加密方案被提出.压缩函数和杂凑函数在信息安全领域具有广泛的应用基础,目前却少有方案基于此进行构建.该文选取压缩函数作为底层模块,通过对杂凑函数基本结构之一的双管道结构进行适应性的修改,解决了加密过程中状态链值泄露与安全性需求之间的矛盾,提出了一族基于压缩函数与双管道结构构建的具有在线性的加密方案,称为DPE.DPE族方案适用于具有压缩函数或基于压缩函数构建的杂凑函数的应用背景的环境,为数据提供机密性和完整性的保护.具体地,我们提出三个方案,分别是DPE、DPAE和DPAE-I.DPE方案是在线加密方案,可以提供在线加密和在线解密的功能,利用底层压缩函数的迭代更新状态链值,并截取部分状态链值作为密钥流进行加密和解密操作;DPAE方案是在线认证加密方案(OAE1方案),在DPE方案的基础上添加了认证操作,使得消息的接收方可以利用标签验证消息的完整性;DPAE-I方案是在线的分块认证加密方案(OAE2方案),利用DPAE方案支持使用中间标签的性质,将长消息划分为若干个短消息调用DPAE进行加密,将每一个短消息视为一个分块.前一个分块加密得到的状态将作为加密下一个分块的初始状态,当工作存储足够大时,DPAE-I方案可以在加密和解密方向同时具有在线性.为降低软硬件实现代价,当压缩函数满足输出长度是输入长度一半时,可以使用一个底层压缩函数以及一个密钥实现该族方案.该族方案继承了压缩函数与基于压缩函数构造的专用杂凑函数单向性好、运行速度快等特点,同时具有在线性、灵活性、适应性以及安全性强4个主要特点:(1)当工作存储足够大时,DPE族方案可以在读取输入分块后,计算并输出相应的分块;(2)根据用户对数据机密性和完整性保护的不同需求,可以通过简单的操作实现族内不同类型方案之间的转换;通过选择不同的底层压缩函数,可以在方案的数据吞吐率与安全性之间进行调节;(3)可以使用SHA-256、SHA-512、WHIRLPOOL以及SM3等杂凑函数中的压缩函数作为底层模块;(4)借由压缩函数的特点,相比于基于分组密码构造的认证加密方案,该族方案可以通过使用规模大的压缩函数作为底层模块为数据提供更强的安全性保护;另一方面,借由双管道结构的特点,相对于同类基于压缩函数构建的方案,该族方案在安全性上同样具有一定的优势.

An online cipher supplies data incrementally in a serial fashion,and ensures data security.In recent years,designing authenticated encryption schemes with online property has become popular,and many online authenticated encryption schemes based on blockciphers and permutations have been proposed.Compression functions and hash functions are applied widely in information security,while few of schemes are built with them.In this paper,the authors take compression functions as the underlying primitive,a family of online scheme to be given.By modifying the double pipe construction which is one of basic constructions of hash functions,this paper solves the contradiction between state leakage and security requirement in encryption,and proposes a family of online ciphers,called DPE,based on compression function and double pipe construction.The DPE family is dedicated to applying conveniently in environments which already have components such as compression function-based hash functions or compression functions,and is shown to preserve privacy and integrity of data.Practically,we present three family members,i.e.,DPE,DPAE,and DPAE-I.DPE is an online cipher,providing online encryption and online decryption.States update with calling for underlying compression functions,and parts of the states are used as a key stream which will be exclusive-or with plaintext to generate ciphertext in enciphering,and exclusive-or with ciphertext to generate plaintext in deciphering.DPAE is an online authenticated encryption scheme(an OAE1 scheme),based on DPE,which adds an extra authenticating process and in which a receiver could ensure integrity of a message by verifying its tag.DPAE-I is a segment online authenticated encryption scheme(an OAE2 scheme).With respect to DPAE’s property of incremental tags acceptable,DPAE-I partitions long messages into several short messages,which can be seen as segments and encrypted with DPAE.The internal state after encrypting a former segment will be used as the initial state for encrypting a latter message.When work memory is large enough,DPAE-I is online in both encryption and decryption.To reduce the cost of hardware and software,when the output length of the compression function is half of the input length,we use one single underlying compression function and one key to build a scheme of the DPE family.The DPE family inherits characteristics of compression functions and dedicated hash functions based on compression functions,such as one-way and high-efficiency.The properties of the family include online,flexible,adoptable,and high secure:(1)When work memory is large enough,a scheme in DPE family calculates and outputs the corresponding segment after reading input segment.(2)Users transports one scheme into another in the family by simple operations according to needs for confidentiality and integrity protection;and adjusts between efficiency and security of a DPE/DPAE scheme by flexibly choosing different compression functions.(3)Compression functions used in hash functions,such as SHA-256,SHA-512,WHIRLPOOL and SM3,are adoptable as the underlying primitive.(4)Higher security protection is provided by the DPE family with large scale compression functions,compared with those schemes based on blockciphers;and with the use of the double pipeline structure,the family has some advantages in the security over other schemes based on compression functions.